1 Dec
2010
1 Dec
'10
6:12 a.m.
On Dec 1, 2010, at 14:51 , Aaron Richton wrote:
Maybe trace out where you start and where you're going:
- stop slapd, check with slapcat -n 0 what your initial ssf= value is
as i expect: olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
- start slapd and check with ldapsearch that that ssf= value actually is
present in cn=config
as i expect: olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
- verify that you're getting behavior that matches what cn=config says
now i'm getting Confidentiality required (13) for all binds, also for the excluded ips in the ACL that is not as it should be.
- do your ldapmodify to ssf=1, ldapsearch cn=config to verify, verify
behavior
ok now its: olcSecurity: ssf=1 tls=0 simple_bind=0 update_ssf=0 now its obvious that only encrypted binds are allowed
- do your ldapmodify to ssf=0, ldapsearch cn=config to verify, verify
behavior
olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0 and now the excluded ips can use unencrypted simple binds, and for all others encryption is required. as it should be.
Which of these work as expected? Which don't?