I'm using TLS but would like to force clients to connect using TLS sans the loopback device or LDAP server itself.
I found this post from 2006 which suggests the following.
It doesn't work for me:
# first, make sure TLS or localhost
access to *
by tls_ssf=1 none break
by peername.ip="127.0.0.1" none break
by * none
# "real" ACL(s) go here, something like
access to *
by self write
by users read
by anonymous auth
My current real ACLS'
10.3.5.205 is the IP address of the system on the loopback interface. These settings still allow any system to connect without using TLS. If I change the line in the last ACL to "by users read" bthen i can't connect on the loopback anymore.. What am I doing wrong?
access to * by tls_ssf=1 none break by peername.ip="127.0.0.1" none break by peername.ip="10.3.5.205" none break by * none
access to dn.children="ou=people,dc=test,dc=lott" attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowMax by self write by * auth break
access to dn.children="ou=people,dc=test,dc=lott" attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange,sambaPwdMustChange,sambaPwdLastSet,pwdReset,pwdChangedTime,pwdPolicySubentry,shadowMax,mail,pwdAc countLockedTime,sambaKickoffTime,shadowExpire,shadowWarning,shadowFlag,sambaAcctFlags,sambaPasswordHistory,mail,givenName by dn.base="cn=root,dc=txcat,dc=lott" write by group.base="cn=infrastructure,ou=test,ou=groups,dc=test,dc=lott" write by dn.base="uid=ldapmgr,ou=people,dc=test,dc=lott" write by * read
access to dn.exact="cn=admins,ou=SUDOers,dc=test,dc=lott" attrs=sudoUser by dn.base="cn=root,dc=test,dc=lott" write by group.base="cn=infrastructure,ou=test,ou=groups,dc=test,dc=lott" write by * read
access to dn.subtree="ou=SUDOers,dc=test,dc=lott" attrs=sudoUser,sudoCommand,sudoHost,sudoOption by dn.base="cn=root,dc=test,dc=lott" write by group.base="cn=infrastructure,ou=test,ou=groups,dc=test,dc=lott" write by * read
access to * by dn.base="cn=root,dc=test,dc=lott" write by group.base="cn=infrastructure,ou=test,ou=groups,dc=test,dc=lott" read by group.base="cn=operations,ou=test,ou=groups,dc=test,dc=lott" read by dn.base="uid=ldapmgr,ou=people,dc=test,dc=lott" read by * read