On Nov 30, 2010, at 14:42 , Aaron Richton wrote:
On Tue, 30 Nov 2010, Christian Bösch wrote:
hi, i have an acl set to allow only some ips to connect unencrypted: {0}to dn.children="dc=abc,dc=net" by peername.ip=10.10.40.100 read break by peername.ip=10.10.8.49 read break by ssf=128 read break by * none
olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
this works in general, but if i restart slapd i get from the defined ips from above 'confidentially required'. then i have to set ssf=1 then back to ssf=0 to make it work again?
It's not entirely clear what you're getting at, but I note that the only "ssf=0" in your post is under olcSecurity. If you're changing that, then the global SSF requirement of your server will be affected, and no ACL will allow an exemption under any circumstances.
In other words, set the olcSecurity ssf= to the absolute minimum SSF required of any client connecting. So if you want to allow 10.10.40.100 (or whatever) to have ssf=0....well, there's your answer for olcSecurity, too.
yes thats clear. the above model with global ssf=0 and acls for exceptions is working fine as long i don't restart the slapd. if i restart slapd, encryption is also required for the defined ips in the acl. then i have to change the global ssf value to something and then back to ssf=0 and it works again! i wanted to know why this strange behaviour happens?
anyone an idea why?
/thx.chris