[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing encryption for external server access while allowing unencrypted localhost connections

Kurt D. Zeilenga wrote:

You've required more confidentiality protection than ldapi://
purports to provide.  The ldapi:// is, by default, only 71.
You can change the SSF by defining the macro LDAP_PVT_LOCAL_SSF
in your CPPFLAGS.

Hi Kurt,

Thanks for the response. I recompiled OpenLDAP with this option. In fact here are all my flags/options/configure statements:

export CPPFLAGS='-I/usr/local/BerkeleyDB.4.2/include -I/usr/include -I/usr/include/openssl -DOPENSSL_NO_KRB5 -DLDAP_PVT_LOCAL_SSF'
export LDFLAGS='-L/usr/local/BerkeleyDB.4.2/lib -L/lib/tls -L/lib'
./configure --sysconfdir=/etc --enable-bdb=yes --disable-ldbm
sudo make install

Then I start slapd:

/usr/local/libexec/slapd -u ldap -g ldap -h "ldap:// ldapi:///"

And then I still get this:

search: 2
result: 13 Confidentiality required
text: stronger confidentiality required

And of course, like I said, I have "security ssf=128" in the /etc/openldap.conf global configuration.