You want authenticated access to be on the secure channel (to protect both password and data from sniffing) while you don't want to enforce TLS to anonymous access to public data (maybe some clients are hard to configure properly for TLS).
Setting:
in cn=config would require all user to use TLS: otherwise OpenLDAP issues a "confidentiality required" error. This setting is maybe overkill.olcSecurity: ssf=36
TLS can be enforced with ACL as well.
Create a ldif file named "add_tls_for_auth.ldif" as following: and apply to config with:
ldapmodify -H ldapi:/// -Y EXTERNAL -f add_tls_for_auth.ldif
(this code assumes the default acl setup by Debian).
Explanation
The break keyword means that if you match that rule you should check next rule for the same what. So, if your ssf is strong enought or your IP is 127.0.0.1 you are allowed to check next rule about access to attrs=userPassword,shadowLastChange. Otherwise the none means userPassword is not returned so no authentication can ever succeed.In short the break keyword is a kind on logical AND between two rules.
Notes
There are two points to note:- Users are still allowed to try connection with clear text password on ldap://. Simply authntication never succeed so in a while they should stop;
- To enable ldapi:/// authenticated connection you might need to set olcLocalSSF=128 in cn=config:
No comments:
Post a Comment