On Tue, 30 Nov 2010, Christian Bösch wrote:
hi, i have an acl set to allow only some ips to connect unencrypted: {0}to dn.children="dc=abc,dc=net" by peername.ip=10.10.40.100 read break by peername.ip=10.10.8.49 read break by ssf=128 read break by * none
olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
this works in general, but if i restart slapd i get from the defined ips from above 'confidentially required'. then i have to set ssf=1 then back to ssf=0 to make it work again?
It's not entirely clear what you're getting at, but I note that the only "ssf=0" in your post is under olcSecurity. If you're changing that, then the global SSF requirement of your server will be affected, and no ACL will allow an exemption under any circumstances.
In other words, set the olcSecurity ssf= to the absolute minimum SSF required of any client connecting. So if you want to allow 10.10.40.100 (or whatever) to have ssf=0....well, there's your answer for olcSecurity, too.
anyone an idea why?
/thx.chris