Robert Henjes <[email protected]> writes: > Sorry for reopening / reasking the following issue.
[...] > # The userPassword by default can be changed > # by the entry owning it if they are authenticated. > # Others should not be able to see it, except the > # admin entry below > access to attrs=userPassword,shadowLastChange > by peername.ip=127.0.0.1 write > by ssf=128 dn="cn=admin,dc=example,dc=com" write > by ssf=128 anonymous auth > by ssf=128 self write > by * none [...]> > # The admin dn has full write access, everyone else > # can read everything. > access to * > by dn="cn=admin,dc=example,dc=com" write > by * read > --------------- > > Questions: > 1) Turing off the option "ssl tls=1" means, a client can contact the server > without encryption. If a password is transmitted, it will be rejected, but it > is still transmitted unsecure. > Due you have any recommendations according this issue? > Possible solution: The server only responds to unencrypted requests > on the local interface. How can I achieve this? Use local socket instead of inet socket > 2) With the above presented solution, I can not change my own > password as the desired user (Invalid credentials (49)), only as > admin(root). Why? Probably because of ssf, as you only only do a simple bind and not a strong bind, as required by your ssf. > 3) What would be the appropriate way to achieve my goal? > * Locking the dc=example,dc=com base from all unencrypted access > from "worldwide" hosts. (admin should still have full access, but > encryption has to be enforced) run slapd on secure port only, something like slapd - h " ldapi:/// ldap://127.0.0.1/ ldaps://192.168.0.1/" [...] -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E
