I'm using TLS but would like to force clients to connect using TLS sans the loopback device or LDAP server itself. I found this post from 2006 which suggests the following. It doesn't work for me: # first, make sure TLS or localhost access to * by tls_ssf=1 none break by peername.ip="127.0.0.1" none break by * none # "real" ACL(s) go here, something like access to * by self write by users read by anonymous auth My current real ACLS' 10.3.5.205 is the IP address of the system on the loopback interface. These settings still allow any system to connect without using TLS. If I change the line in the last ACL to "by users read" bthen i can't connect on the loopback anymore.. What am I doing wrong? access to * by tls_ssf=1 none break by peername.ip="127.0.0.1" none break by peername.ip="10.3.5.205" none break by * none access to dn.children="ou=people,dc=test,dc=lott" attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowMax by self write by * auth break access to dn.children="ou=people,dc=test,dc=lott" attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange,sambaPwdMustChange,sambaPwdLastSet,pwdReset,pwdChangedTime,pwdPolicySubentry,shadowMax,mail,pwdAc countLockedTime,sambaKickoffTime,shadowExpire,shadowWarning,shadowFlag,sambaAcctFlags,sambaPasswordHistory,mail,givenName by dn.base="cn=root,dc=txcat,dc=lott" write by group.base="cn=infrastructure,ou=test,ou=groups,dc=test,dc=lott" write by dn.base="uid=ldapmgr,ou=people,dc=test,dc=lott" write by * read access to dn.exact="cn=admins,ou=SUDOers,dc=test,dc=lott" attrs=sudoUser by dn.base="cn=root,dc=test,dc=lott" write by group.base="cn=infrastructure,ou=test,ou=groups,dc=test,dc=lott" write by * read access to dn.subtree="ou=SUDOers,dc=test,dc=lott" attrs=sudoUser,sudoCommand,sudoHost,sudoOption by dn.base="cn=root,dc=test,dc=lott" write by group.base="cn=infrastructure,ou=test,ou=groups,dc=test,dc=lott" write by * read access to * by dn.base="cn=root,dc=test,dc=lott" write by group.base="cn=infrastructure,ou=test,ou=groups,dc=test,dc=lott" read by group.base="cn=operations,ou=test,ou=groups,dc=test,dc=lott" read by dn.base="uid=ldapmgr,ou=people,dc=test,dc=lott" read by * read |