On Thu, Jul 26, 2018 at 01:34:52PM +0200, Hallvard Breien Furuseth wrote:
I were implementing a new LDAP server, I'd pick a higher default. But I'd rather not weaken security defaults in existing software.
In IRC, hbf went into a little more detail on what was meant by this: If you have an existing deployment with required SSF 100, then ldapi connections are not permitted and the admin may be expecting that. Upgrading slapd would then start allowing those ldapi connections, if there is no explicit olcLocalSSF: 71 setting, and the admin might not be expecting it, if they didn't read the upgrade notes carefully.
In general, changing defaults in a major release (i.e. 2.5) with documentation call-outs should be possible, but hbf's point is that for a security setting we should be conservative, and I agree with that and withdraw my proposal.