[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: How enforce TLS connection to openldap server only?
Nope, olcSecurity didn't help. Still have the problem. I restared slapd.
Please see below:
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcSecurity: simple_bind=128
olcSecurity: ssf=128
olcSecurity: tls=1
olcAccess: {0}to attrs=userPassword by tls_ssf=128 ssf=128
dn="cn=admin,dc=example,dc=com" write b
y tls_ssf=128 ssf=128 anonymous auth by tls_ssf=128 ssf=128 self write by
* none
olcAccess: {1}to attrs=shadowLastChange by tls_ssf=128 ssf=128 self write
by tls_ssf=128 ssf=128 * read
olcAccess: {2}to dn.base="" by tls_ssf=128 ssf=128 * read
olcAccess: {3}to * by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com"
write by tls_ssf=128 ssf=128 * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW:: c2VjcmV0
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uidNumber eq
olcDbIndex: uid eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: a1f57758-96d0-1031-93fd-1108a4f5996c
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20120919180734Z
entryCSN: 20120919181117.233986Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20120919181117Z
Thanks a lot!
Yan
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Thursday, September 20, 2012 7:50 AM
To: Quanah Gibson-Mount
Cc: Yan Gong; openldap-technical@openldap.org
Subject: Re: How enforce TLS connection to openldap server only?
Quanah Gibson-Mount wrote:
>> Should I use olcAccess or olcSecurity? or both? I couldn't find any
>> detailed steps/documentation
>
> olcSecurity would enforce encryption for any and all connections.
> Note that you have to restart slapd for it to take effect.
Eh, no. olcSecurity changes take effect immediately. No restart needed.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/