Thierry Lacoste <[EMAIL PROTECTED]> writes: > I want to force clients to use TLS except on the IPv4 loopback interface. > As suggested by Aaron I have the following ACL as the very first one > # first, make sure TLS or localhost > access to * > by tls_ssf=1 none break > by peername.ip="127.0.0.1" none break > by * none > followed by my "real" ACLs. > > Everything is working as expected but I've just noticed that I can > bind to the server with my rootdn in cleartext. > Is this expected? Is there a way to prevent this?
Yes, rootdn has no restrictions. To prevent this behaviour, don't create a rootpw, but create a general administration user with an appropriate policy. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6
