Robert Henjes henjes@informatik.uni-wuerzburg.de writes:
Sorry for reopening / reasking the following issue.
[...]
# The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below access to attrs=userPassword,shadowLastChange by peername.ip=127.0.0.1 write by ssf=128 dn="cn=admin,dc=example,dc=com" write by ssf=128 anonymous auth by ssf=128 self write by * none
[...]>
# The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=example,dc=com" write by * read
Questions:
- Turing off the option "ssl tls=1" means, a client can contact the server without encryption. If a password is transmitted, it will be rejected, but it is still transmitted unsecure.
Due you have any recommendations according this issue? Possible solution: The server only responds to unencrypted requests on the local interface. How can I achieve this?
Use local socket instead of inet socket
- With the above presented solution, I can not change my own password as the desired user (Invalid credentials (49)), only as admin(root). Why?
Probably because of ssf, as you only only do a simple bind and not a strong bind, as required by your ssf.
- What would be the appropriate way to achieve my goal?
- Locking the dc=example,dc=com base from all unencrypted access from "worldwide" hosts. (admin should still have full access, but encryption has to be enforced)
run slapd on secure port only, something like slapd - h " ldapi:/// ldap://127.0.0.1/ ldaps://192.168.0.1/"
[...]
-Dieter