Force clients to use TLS uisng ACL's

Wed, 21 Dec 2011 13:14:09 -0800 


I'm using TLS but would like to force clients to connect using TLS sans the 
loopback device  or LDAP server itself.

I found this post from 2006 which suggests the following. 

It doesn't work for me:


# first, make sure TLS or localhost

access to *

        by tls_ssf=1 none break

        by peername.ip="127.0.0.1" none break

        by * none



# "real" ACL(s) go here, something like

access to *

        by self write

        by users read

        by anonymous auth



My current real ACLS'

10.3.5.205 is the IP address of the system on the loopback interface.
These settings still allow any system to connect without using TLS.
If I change the line in the  last ACL to "by users read" bthen i can't connect 
on the loopback anymore.. What am I doing wrong?

access to *
        by tls_ssf=1 none break
        by peername.ip="127.0.0.1" none break
        by peername.ip="10.3.5.205" none break
        by * none

access to dn.children="ou=people,dc=test,dc=lott"
        attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowMax
        by self write
        by * auth break

access to dn.children="ou=people,dc=test,dc=lott"
        
attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange,sambaPwdMustChange,sambaPwdLastSet,pwdReset,pwdChangedTime,pwdPolicySubentry,shadowMax,mail,pwdAc
    
countLockedTime,sambaKickoffTime,shadowExpire,shadowWarning,shadowFlag,sambaAcctFlags,sambaPasswordHistory,mail,givenName
        by dn.base="cn=root,dc=txcat,dc=lott" write
        by group.base="cn=infrastructure,ou=test,ou=groups,dc=test,dc=lott" 
write
        by dn.base="uid=ldapmgr,ou=people,dc=test,dc=lott" write
        by * read

access to dn.exact="cn=admins,ou=SUDOers,dc=test,dc=lott"
        attrs=sudoUser
        by dn.base="cn=root,dc=test,dc=lott" write
        by group.base="cn=infrastructure,ou=test,ou=groups,dc=test,dc=lott" 
write
        by * read


access to dn.subtree="ou=SUDOers,dc=test,dc=lott"
        attrs=sudoUser,sudoCommand,sudoHost,sudoOption
        by dn.base="cn=root,dc=test,dc=lott" write
        by group.base="cn=infrastructure,ou=test,ou=groups,dc=test,dc=lott" 
write
        by * read

access to *
        by dn.base="cn=root,dc=test,dc=lott" write
        by group.base="cn=infrastructure,ou=test,ou=groups,dc=test,dc=lott" read
        by group.base="cn=operations,ou=test,ou=groups,dc=test,dc=lott" read
        by dn.base="uid=ldapmgr,ou=people,dc=test,dc=lott" read
        by * read

Reply via email to