From: Kurt Zeilenga <kurt@openldap.org>
Date: Tue, 18 Jun 2002 07:41:56 +0000 (+0000)
Subject: SSF discussion
X-Git-Tag: NO_SLAP_OP_BLOCKS~1414
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=0d21db2858af051e97b68fd2c664387043973e33;p=openldap

SSF discussion
---

diff --git a/doc/guide/admin/security.sdf b/doc/guide/admin/security.sdf
index 076b40698f..df5714f9de 100644
--- a/doc/guide/admin/security.sdf
+++ b/doc/guide/admin/security.sdf
@@ -76,11 +76,30 @@ A number of {{TERM[expand]SASL}} (SASL) mechanisms, such as DIGEST-MD5
 and {{TERM:GSSAPI}}, provide integrity and confidentiality protection.
 See the {{SECT:Using SASL}} chapter for more information.
 
+
+H3: Security Strength Factors
+
 The server uses {{TERM[expand]Security Strength Factors}} (SSF) to
 indicate the relative strength of protection.  A SSF of zero (0)
 indicates no protections are in place.  A SSF of one (1) indicates
 integrity protection are in place.  A SSF greater than one (>1)
 roughly correlates to the effective encryption key length.  For
 example, {{TERM:DES}} is 56, {{TERM:3DES}} is 112, and {{TERM:AES}}
-is 128.
+128, 192, or 256.
+
+A number of administrative controls rely on SSFs associated with
+TLS and SASL protection in place on an LDAP session.
+
+{{EX:security}} controls disallow operations when appropriate
+protections are not in place.  For example:
+
+>	security ssf=1 update_ssf=112
+
+requires integrity protection for all operations and encryption
+protection, 3DES equivalent, for update operations (e.g. add,
+delete, modify, etc.).  See {{slapd.conf}}(5) for details.
+
+For finer grained control, SSFs may be used in access controls.
+See {{SECT:Access Control}} section of the {{SECT:The slapd
+Configuration File}} for more information.