I'm using TLS but would like to force clients to connect using TLS sans the loopback device  or LDAP server itself.

I found this post from 2006 which suggests the following.

It doesn't work for me:


# first, make sure TLS or localhost
access to *
by tls_ssf=1 none break
by peername.ip="127.0.0.1" none break
by * none

# "real" ACL(s) go here, something like
access to *
by self write
by users read
by anonymous auth



My current real ACLS'

10.3.5.205 is the IP address of the system on the loopback interface.
These settings still allow any system to connect without using TLS.
If I change the line in the  last ACL to "by users read" bthen i can't connect on the loopback anymore.. What am I doing wrong?

access to *
        by tls_ssf=1 none break
        by peername.ip="127.0.0.1" none break
        by peername.ip="10.3.5.205" none break
        by * none

access to dn.children="ou=people,dc=test,dc=lott"
        attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowMax
        by self write
        by * auth break

access to dn.children="ou=people,dc=test,dc=lott"
        attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange,sambaPwdMustChange,sambaPwdLastSet,pwdReset,pwdChangedTime,pwdPolicySubentry,shadowMax,mail,pwdAc    countLockedTime,sambaKickoffTime,shadowExpire,shadowWarning,shadowFlag,sambaAcctFlags,sambaPasswordHistory,mail,givenName
        by dn.base="cn=root,dc=txcat,dc=lott" write
        by group.base="cn=infrastructure,ou=test,ou=groups,dc=test,dc=lott" write
        by dn.base="uid=ldapmgr,ou=people,dc=test,dc=lott" write
        by * read

access to dn.exact="cn=admins,ou=SUDOers,dc=test,dc=lott"
        attrs=sudoUser
        by dn.base="cn=root,dc=test,dc=lott" write
        by group.base="cn=infrastructure,ou=test,ou=groups,dc=test,dc=lott" write
        by * read


access to dn.subtree="ou=SUDOers,dc=test,dc=lott"
        attrs=sudoUser,sudoCommand,sudoHost,sudoOption
        by dn.base="cn=root,dc=test,dc=lott" write
        by group.base="cn=infrastructure,ou=test,ou=groups,dc=test,dc=lott" write
        by * read

access to *
        by dn.base="cn=root,dc=test,dc=lott" write
        by group.base="cn=infrastructure,ou=test,ou=groups,dc=test,dc=lott" read
        by group.base="cn=operations,ou=test,ou=groups,dc=test,dc=lott" read
        by dn.base="uid=ldapmgr,ou=people,dc=test,dc=lott" read
        by * read