I want to force clients to use TLS except on the IPv4 loopback interface.
As suggested by Aaron I have the following ACL as the very first one
# first, make sure TLS or localhost
access to *
by tls_ssf=1 none break
by peername.ip="127.0.0.1" none break
by * none
followed by my "real" ACLs.Everything is working as expected but I've just noticed that I can bind to the server with my rootdn in cleartext. Is this expected? Is there a way to prevent this? Regards, Thierry.
