hi,
i have an acl set to allow only some ips to connect unencrypted: {0}to dn.children="dc=abc,dc=net" by peername.ip=10.10.40.100 read break by peername.ip=10.10.8.49 read break by ssf=128 read break by * none
olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
this works in general, but if i restart slapd i get from the defined ips from above 'confidentially required'. then i have to set ssf=1 then back to ssf=0 to make it work again?
anyone an idea why?
/thx.chris
On Tue, 30 Nov 2010, Christian Bösch wrote:
hi, i have an acl set to allow only some ips to connect unencrypted: {0}to dn.children="dc=abc,dc=net" by peername.ip=10.10.40.100 read break by peername.ip=10.10.8.49 read break by ssf=128 read break by * none
olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
this works in general, but if i restart slapd i get from the defined ips from above 'confidentially required'. then i have to set ssf=1 then back to ssf=0 to make it work again?
It's not entirely clear what you're getting at, but I note that the only "ssf=0" in your post is under olcSecurity. If you're changing that, then the global SSF requirement of your server will be affected, and no ACL will allow an exemption under any circumstances.
In other words, set the olcSecurity ssf= to the absolute minimum SSF required of any client connecting. So if you want to allow 10.10.40.100 (or whatever) to have ssf=0....well, there's your answer for olcSecurity, too.
anyone an idea why?
/thx.chris
On Nov 30, 2010, at 14:42 , Aaron Richton wrote:
On Tue, 30 Nov 2010, Christian Bösch wrote:
hi, i have an acl set to allow only some ips to connect unencrypted: {0}to dn.children="dc=abc,dc=net" by peername.ip=10.10.40.100 read break by peername.ip=10.10.8.49 read break by ssf=128 read break by * none
olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
this works in general, but if i restart slapd i get from the defined ips from above 'confidentially required'. then i have to set ssf=1 then back to ssf=0 to make it work again?
It's not entirely clear what you're getting at, but I note that the only "ssf=0" in your post is under olcSecurity. If you're changing that, then the global SSF requirement of your server will be affected, and no ACL will allow an exemption under any circumstances.
In other words, set the olcSecurity ssf= to the absolute minimum SSF required of any client connecting. So if you want to allow 10.10.40.100 (or whatever) to have ssf=0....well, there's your answer for olcSecurity, too.
yes thats clear. the above model with global ssf=0 and acls for exceptions is working fine as long i don't restart the slapd. if i restart slapd, encryption is also required for the defined ips in the acl. then i have to change the global ssf value to something and then back to ssf=0 and it works again! i wanted to know why this strange behaviour happens?
anyone an idea why?
/thx.chris
On Wed, 1 Dec 2010, Christian Bösch wrote:
yes thats clear. the above model with global ssf=0 and acls for exceptions is working fine as long i don't restart the slapd. if i restart slapd, encryption is also required for the defined ips in the acl. then i have to change the global ssf value to something and then back to ssf=0 and it works again! i wanted to know why this strange behaviour happens?
Maybe trace out where you start and where you're going:
* stop slapd, check with slapcat -n 0 what your initial ssf= value is
* start slapd and check with ldapsearch that that ssf= value actually is present in cn=config
* verify that you're getting behavior that matches what cn=config says
* do your ldapmodify to ssf=1, ldapsearch cn=config to verify, verify behavior
* do your ldapmodify to ssf=0, ldapsearch cn=config to verify, verify behavior
Which of these work as expected? Which don't?
On Dec 1, 2010, at 14:51 , Aaron Richton wrote:
Maybe trace out where you start and where you're going:
- stop slapd, check with slapcat -n 0 what your initial ssf= value is
as i expect: olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
- start slapd and check with ldapsearch that that ssf= value actually is
present in cn=config
as i expect: olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
- verify that you're getting behavior that matches what cn=config says
now i'm getting Confidentiality required (13) for all binds, also for the excluded ips in the ACL that is not as it should be.
- do your ldapmodify to ssf=1, ldapsearch cn=config to verify, verify
behavior
ok now its: olcSecurity: ssf=1 tls=0 simple_bind=0 update_ssf=0 now its obvious that only encrypted binds are allowed
- do your ldapmodify to ssf=0, ldapsearch cn=config to verify, verify
behavior
olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0 and now the excluded ips can use unencrypted simple binds, and for all others encryption is required. as it should be.
Which of these work as expected? Which don't?
On Wed, 1 Dec 2010, Christian Bösch wrote:
- start slapd and check with ldapsearch that that ssf= value actually is
present in cn=config
as i expect: olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
- verify that you're getting behavior that matches what cn=config says
now i'm getting Confidentiality required (13) for all binds, also for the excluded ips in the ACL that is not as it should be.
No, doesn't sound like it is. Are you verifying this with a current version (2.4.23 or RE24/HEAD CVS)? If so, this is probably worthy of an ITS (http://www.openldap.org/its/).
On Dec 1, 2010, at 15:19 , Aaron Richton wrote:
On Wed, 1 Dec 2010, Christian Bösch wrote:
- start slapd and check with ldapsearch that that ssf= value actually is
present in cn=config
as i expect: olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
- verify that you're getting behavior that matches what cn=config says
now i'm getting Confidentiality required (13) for all binds, also for the excluded ips in the ACL that is not as it should be.
No, doesn't sound like it is. Are you verifying this with a current version (2.4.23 or RE24/HEAD CVS)? If so, this is probably worthy of an ITS (http://www.openldap.org/its/).
i compiled it from freebsd ports. version 2.4.21.
openldap-technical@openldap.org
-
Aaron Richton -
Christian Bösch