[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ssf settings on server restart



On Dec 1, 2010, at 14:51 , Aaron Richton wrote:

> Maybe trace out where you start and where you're going:
> 
> * stop slapd, check with slapcat -n 0 what your initial ssf= value is

as i expect: olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0

> 
> * start slapd and check with ldapsearch that that ssf= value actually is 
> present in cn=config
> 
as i expect: olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0

> * verify that you're getting behavior that matches what cn=config says

now i'm getting Confidentiality required (13) for all binds, also for the 
excluded ips in the ACL 
that is not as it should be.

> 
> * do your ldapmodify to ssf=1, ldapsearch cn=config to verify, verify 
> behavior

ok now its:
olcSecurity: ssf=1 tls=0 simple_bind=0 update_ssf=0
now its obvious that only encrypted binds are allowed


> 
> * do your ldapmodify to ssf=0, ldapsearch cn=config to verify, verify 
> behavior
> 

olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
and now the excluded ips can use unencrypted simple binds, and for all
others encryption is required. as it should be.

> 
> Which of these work as expected? Which don't?

Attachment: smime.p7s
Description: S/MIME cryptographic signature