Robert Henjes <[email protected]> writes: > Sorry for reopening / reasking the following issue. > > I tried to scan through all posts, but this answer seemed to be the > closest one to my problem. (We're using OpenLDAP 2.4 on Debian Lenny)
[...] > Situation: For deployment we want to use TLS client certificates, as > far as possible, using TLS encryption all the way long. > > Problem: Apache Directory Studio, as well as JXplorer do not support > (TLS) client certificate verification, what is agreed not to be a > topic of openldap. But anyway... Why do you use this broken clients at all? There are adminstration clients that do support tls and startTLS and most of extend operations. > My proposed solution: * All clients, which support client certificate > verification, should directly connect using TLS to the LDAP server. * > All clients, esp. the management tools, should establish a ssh-tunnel > to the server and connect through localhost entity. * (optional) > specific clients should be able to connect via specific access rules > (but this is a future topic ;) ) > [...] > # Security considerations (TESTING!!!!) # > http://www.openldap.org/lists/openldap-software/200409/msg00535.html # > access from 127.0.0.1 without encryption access to > dn.subtree="dc=example,dc=com" > by peername.ip=127.0.0.1 write > by * none break # worldwide access requires tls encryption > access to dn.subtree="dc=example,dc=com" > by ssf=128 write > by * none If your question only is related to unencrypted connection from localhost, why don't you connect via local socket only? That is via ldapi:/// -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E
