On Nov 30, 2010, at 14:42 , Aaron Richton wrote:
On Tue, 30 Nov 2010, Christian Bösch wrote:
> hi,
> i have an acl set to allow only some ips to connect unencrypted:
> {0}to dn.children="dc=abc,dc=net" by peername.ip=10.10.40.100 read break by
peername.ip=10.10.8.49 read break by ssf=128 read break by * none
>
> olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
>
> this works in general, but if i restart slapd i get from the defined ips from above
'confidentially required'. then i have to set ssf=1 then back to ssf=0 to make
> it work again?
It's not entirely clear what you're getting at, but I note that the only
"ssf=0" in your post is under olcSecurity. If you're changing that, then
the global SSF requirement of your server will be affected, and no ACL
will allow an exemption under any circumstances.
In other words, set the olcSecurity ssf= to the absolute minimum SSF
required of any client connecting. So if you want to allow 10.10.40.100
(or whatever) to have ssf=0....well, there's your answer for olcSecurity,
too.
yes thats clear.
the above model with global ssf=0 and acls for exceptions is working fine as long i
don't restart the slapd.
if i restart slapd, encryption is also required for the defined ips in the acl. then i
have to change the global ssf value to something and then
back to ssf=0 and it works again!
i wanted to know why this strange behaviour happens?
> anyone an idea why?
>
> /thx.chris
>
>
>
>