2:09 a.m.
hi,
i have an acl set to allow only some ips to connect unencrypted:
{0}to dn.children="dc=abc,dc=net" by peername.ip=10.10.40.100 read break by
peername.ip=10.10.8.49 read break by ssf=128 read break by * none
olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
this works in general, but if i restart slapd i get from the defined ips from above
'confidentially required'. then i have to set ssf=1 then back to ssf=0 to make
it work again?
anyone an idea why?
/thx.chris
5:42 a.m.
On Tue, 30 Nov 2010, Christian Bösch wrote:
hi,
i have an acl set to allow only some ips to connect unencrypted:
{0}to dn.children="dc=abc,dc=net" by peername.ip=10.10.40.100 read break by
peername.ip=10.10.8.49 read break by ssf=128 read break by * none
olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
this works in general, but if i restart slapd i get from the defined ips from above
'confidentially required'. then i have to set ssf=1 then back to ssf=0 to make
it work again?
It's not entirely clear what you're getting at, but I note that the only
"ssf=0" in your post is under olcSecurity. If you're changing that, then
the global SSF requirement of your server will be affected, and no ACL
will allow an exemption under any circumstances.
In other words, set the olcSecurity ssf= to the absolute minimum SSF
required of any client connecting. So if you want to allow 10.10.40.100
(or whatever) to have ssf=0....well, there's your answer for olcSecurity,
too.
anyone an idea why?
/thx.chris
11:18 p.m.
On Nov 30, 2010, at 14:42 , Aaron Richton wrote:
On Tue, 30 Nov 2010, Christian Bösch wrote:
> hi,
> i have an acl set to allow only some ips to connect unencrypted:
> {0}to dn.children="dc=abc,dc=net" by peername.ip=10.10.40.100 read break by
peername.ip=10.10.8.49 read break by ssf=128 read break by * none
>
> olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
>
> this works in general, but if i restart slapd i get from the defined ips from above
'confidentially required'. then i have to set ssf=1 then back to ssf=0 to make
> it work again?
It's not entirely clear what you're getting at, but I note that the only
"ssf=0" in your post is under olcSecurity. If you're changing that, then
the global SSF requirement of your server will be affected, and no ACL
will allow an exemption under any circumstances.
In other words, set the olcSecurity ssf= to the absolute minimum SSF
required of any client connecting. So if you want to allow 10.10.40.100
(or whatever) to have ssf=0....well, there's your answer for olcSecurity,
too.
yes thats clear.
the above model with global ssf=0 and acls for exceptions is working fine as long i
don't restart the slapd.
if i restart slapd, encryption is also required for the defined ips in the acl. then i
have to change the global ssf value to something and then
back to ssf=0 and it works again!
i wanted to know why this strange behaviour happens?
> anyone an idea why?
>
> /thx.chris
>
>
>
>
5:51 a.m.
On Wed, 1 Dec 2010, Christian Bösch wrote:
yes thats clear.
the above model with global ssf=0 and acls for exceptions is working fine as long i
don't restart the slapd.
if i restart slapd, encryption is also required for the defined ips in the acl. then i
have to change the global ssf value to something and then
back to ssf=0 and it works again!
i wanted to know why this strange behaviour happens?
Maybe trace out where you start and where you're going:
* stop slapd, check with slapcat -n 0 what your initial ssf= value is
* start slapd and check with ldapsearch that that ssf= value actually is
present in cn=config
* verify that you're getting behavior that matches what cn=config says
* do your ldapmodify to ssf=1, ldapsearch cn=config to verify, verify
behavior
* do your ldapmodify to ssf=0, ldapsearch cn=config to verify, verify
behavior
Which of these work as expected? Which don't?
6:12 a.m.
On Dec 1, 2010, at 14:51 , Aaron Richton wrote:
Maybe trace out where you start and where you're going:
* stop slapd, check with slapcat -n 0 what your initial ssf= value is
as i expect: olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
* start slapd and check with ldapsearch that that ssf= value actually is
present in cn=config
as i expect: olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
* verify that you're getting behavior that matches what cn=config
says
now i'm getting Confidentiality required (13) for all binds, also for the
excluded ips in the ACL
that is not as it should be.
* do your ldapmodify to ssf=1, ldapsearch cn=config to verify, verify
behavior
ok now its:
olcSecurity: ssf=1 tls=0 simple_bind=0 update_ssf=0
now its obvious that only encrypted binds are allowed
* do your ldapmodify to ssf=0, ldapsearch cn=config to verify, verify
behavior
olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
and now the excluded ips can use unencrypted simple binds, and for all
others encryption is required. as it should be.
Which of these work as expected? Which don't?
6:19 a.m.
On Wed, 1 Dec 2010, Christian Bösch wrote:
> * start slapd and check with ldapsearch that that ssf= value
actually is
> present in cn=config
>
as i expect: olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
> * verify that you're getting behavior that matches what cn=config says
now i'm getting Confidentiality required (13) for all binds, also for the
excluded ips in the ACL
that is not as it should be.
No, doesn't sound like it is. Are you verifying this with a current
version (2.4.23 or RE24/HEAD CVS)? If so, this is probably worthy of an
ITS (http://www.openldap.org/its/).
6:23 a.m.
On Dec 1, 2010, at 15:19 , Aaron Richton wrote:
On Wed, 1 Dec 2010, Christian Bösch wrote:
>> * start slapd and check with ldapsearch that that ssf= value actually is
>> present in cn=config
>>
> as i expect: olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
>
>> * verify that you're getting behavior that matches what cn=config says
>
> now i'm getting Confidentiality required (13) for all binds, also for the
> excluded ips in the ACL
> that is not as it should be.
No, doesn't sound like it is. Are you verifying this with a current
version (2.4.23 or RE24/HEAD CVS)? If so, this is probably worthy of an
ITS (http://www.openldap.org/its/).
i compiled it from freebsd ports. version 2.4.21.
4568
days inactive
4569
days old
openldap-technical@openldap.org
6 comments
2 participants
participants (2)
-
Aaron Richton -
Christian Bösch