Red Hat Bugzilla – Bug 436979
ACI fails to match authmethod="ssl" on a TLS encrypted bind/search
Last modified: 2015-01-04 18:31:15 EST
Description of problem:
If I put an ACI on the top of my tree for "anyone", it doesn't allow access when
a client connects using TLS and the ACI specifies authmethod="ssl" as documented
in the admin. guide, section 6.4.9.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Setup SSL on server as per documentation using a self-signed CA to sign the
2. Setup SSL on client and provide copy of CA cert. Use ldapsearch -x -ZZ ...
to confirm connection is encrypted. e.g.
[11/Mar/2008:14:57:52 -0400] conn=1415 op=0 EXT oid="126.96.36.199.4.1.1466.20037"
[11/Mar/2008:14:57:52 -0400] conn=1415 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[11/Mar/2008:14:57:52 -0400] conn=1415 SSL 256-bit AES
3. Setup ACI like the following on the root node, try using same ldapsearch with
and without the 'and authmethod="ssl"' component.
The search returns nothing with ssl part and returns everything without it.
The search should return everything in both cases.
(targetattr = "*")
allow (read,compare,search)(userdn = "ldap:///anyone" and authmethod="ssl");
I guess the documentation is not clear. The authmethod keyword is for
authentication method e.g. what credentials and what mechanism did the user
present to authenticate to the directory. "ssl" means that the user provided a
user certificate (or smart card, or some other pki device) to authenticate to
Unfortunately, there is no way, using access control, to specify that the
connection must have a certain level of protection. For example, with openldap,
you can say ssf=56 meaning the connection must have SSF level 56 or higher to
connect (e.g. TLS/SSL or SASL using DES).