[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Increase default olcLocalSSF to 128



On 26. juli 2018 09:04, Dieter Klünter wrote:
Am Thu, 26 Jul 2018 08:19:34 +0200
schrieb Michael Ströder <michael@stroeder.com>:

On 07/26/2018 04:47 AM, Ryan Tandy wrote:
I propose increasing the default olcLocalSSF to 128. Mentioned
initially on IRC, now bringing it to the list for completeness and
archival.

In typical setups people want to require TLS *or* ldapi, and
ssf=128 seems like a pretty common olcSecurity setting for current
systems.

+1

I'd rather leave it alone.

I prefer to leave it alone, except maybe clarify the doc.  Currenlty
if you want ldapi Bind and you have set ssf, you probably set it high
so must also set localssf.  If we pick some higher default, then some
people who set ssf must also set localssf, others need not.

I were implementing a new LDAP server, I'd pick a higher default.
But I'd rather not weaken security defaults in existing software.

But why not choosing an even higher value like 256?

Indeed.  However, any particular value will be wrong for someone.
Depends on how safe your filesystem setup is and whether it's easier
to break in to get at the ldapi socket than it is to just attack slapd.

I really wonder why it was set to 71.

As Kurt mentioned on 1st. LDAPCon in Cologne, it is higher value than 56
and less than 128.

I.e. between DES (56) and "RC4, Blowfish and other modern strong
ciphers" (128) described for olcSaslSecProps minssf in man slapd-config.
Also lower than triple DES (112).

Maybe a number of people should update their "pretty common
olcSecurity setting" of 128:-)  I don't know the values for more
modern ciphers.

--
Hallvard