Hi,
I am a little confused with this. Basically I have a client connecting to the database, a DECT IP phone base station which doesn't support STARTLS and my slapd config has settings for clients to use certificates to connect.
What would be the best way to set this up so that the DECT IP client only accesses the particular place that it needs to, the AddressBook section but then other clients will need to use STARTTLS for everything else??
Currently I am looking at:
https://www.openldap.org/doc/admin24/security.html
https://www.openldap.org/doc/admin24/access-control.html
and have currently put this in my slapd.conf:
#Removed the Global? security clause
#security ssf=128
#Added generic ACL for all access to require ssf of 128
access to *
by ssf=128 self write
by ssf=128 anonymous auth
by ssf=128 users read
#Added ACL for open access to AddressBook in Read and Search only mode
access to dn.children="ou=AddressBook,dc=domain,dc=com"
by * search
by * read
Is this correct or do I need to engage the "security" Global section too?
Though the documentation suggests otherwise: "For fine-grained control, SSFs may be used in access controls. See the Access Control section for more information."
Thanks.
Kaya