[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access auth granularity?



Am Mon, 9 May 2016 11:00:38 +0200
schrieb Dora Paula <deepee@gmx.net>:

> I searched for security in slapd.access(5) [1] and just found:
> 
> "The statements ssf=<n>, transport_ssf=<n>, tls_ssf=<n>, and 
> sasl_ssf=<n> set the minimum required Security Strength Factor (ssf)
> needed to grant access."
> 
> 
> In regard to "security" slapd.conf(5) [2] states:
> 
> "security <factors>
> ... The directive may be specified globally and/or per-database."
> 
> Thus I don't see how this applies to my goal.
> 
> 
> The following statement/example is taken from the current admin guide
> [3]:
> 
> access to dn="cn=example,cn=edu"
> 	by * ssf=256 read
> 
> Thus I tested, just for fun:
> access to dn="ou=usersa,dc=example,dc=com"
> 	by * sasl_ssf=1 auth
> 
> Without success - which seems clear to me, because there is no 
> sasl-layer known during an initial bind. So, if I'm wrong, could you 
> please be so kind and go into more detail here?
> 
> Thank you very much.
[...]

Any password transport should be protected by some means of transport
security, that is, either  sasl DIGEST-MD5 or TLS.  

security=1

access to dn.sub=ou=userA,dc=example,dc=com
 by * sasl_ssf=128 read

access to dn.sub=ou=userB,dc=example,dc=com
 by * ssf=56 read

or alternatively

 by transport_ssf=56 read

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E