hi-
i have a directory to which i'd like to require starttls for any and all access, with one exception - i have a few clients which can't yet do starttls, so i'd like to accommodate them (by way of a group they're in - e.g. "by group.exact=..."), but only if they're connecting from localhost (inet, not unix).
i've been reading man 5 slapd.access, and have been experimenting with peername and the various *ssf statements, but haven't yet found the proper combination. any insight is greatly appreciated. i've included my current acls below.
also - where can i read more about each of the *ssf settings and what they mean? i'd like to be a bit more confident about which one i should be using. i see some description in the discussion of sasl-secprops in man 5 slapd.conf, as referenced by http://www.openldap.org/doc/admin24/access-control.html - ". transport=<n> specifies the transport security strength factor." - but that's a bit too recursive for me just yet :) .
thanks- -ben
current acls:
{0}to attrs=userPassword by self =xw by anonymous auth by * none
{1}to dn.sub="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com" by self manage by users read by * none
{2}to filter=(&(objectclass=iphost)(cn=flip.example.com)) attrs=authorizedservice val.exact=sshd by group.exact="cn=ssh,ou=all_servers,ou=servers,ou=groups,dc=example,dc=com" compare by group.exact="cn=ssh,ou=flip,ou=servers,ou=groups,dc=example,dc=com" compare by * =dxrs
{3}to filter=(&(objectclass=iphost)(cn=flip.example.com)) attrs=authorizedservice val.exact=login by group.exact="cn=console,ou=all_servers,ou=servers,ou=groups,dc=example,dc=com" compare by group.exact="cn=console,ou=flip,ou=servers,ou=groups,dc=example,dc=com" compare by * =dxrs
{4}to * by self write by group.exact="cn=directory_administrators,ou=general,ou=groups,dc=example,dc=com" manage by users read by * none