On 10 Jan 2015, at 23:45, Michael Ströder <mich...@stroeder.com> wrote:
> wie...@porcupine.org (Wietse Venema) wrote: >> Viktor Dukhovni: >>> On Sat, Jan 10, 2015 at 08:22:17PM +0100, Michael Str?der wrote: >>> >>>> Are there any plans to support encrypted connections with tcp_table(5) >>>> maps? >>>> Something like a stcp: map? >>>> >>>> Of course I can use stunnel -c but it would be nice if it's possible >>>> without >>>> another moving part. >>> >>> The Unix philosophy says you use stunnel. >> >> If the client and server are on the same host, I would not bother >> with TLS (if you can use a pritivelegd port for the service, then >> if can't be spoofed by non-root users). > > They are not on the same host. > > I want to implement a tcp_table_ldap_proxy demon which can do paranoid input > checks (and some more things) and avoid granting full LDAP access for systems > in DMZ. And yes, I know how to use OpenLDAP ACLs. As Victor says, use stunnel for transport security. OpenSSH is also an option, the latest release even supports Unix domain socket forwarding. We use stunnel for our mail proxy, with nginx talking to backend servers via stunnel, and it works like a charm. Very stable. Mvg, Joni
