[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing encryption for external server access while allowing unencrypted localhost connections

At 04:30 PM 9/14/2004, Chris Paul wrote:
>Kurt D. Zeilenga wrote:
>>You've required more confidentiality protection than ldapi://
>>purports to provide.  The ldapi:// is, by default, only 71.
>>You can change the SSF by defining the macro LDAP_PVT_LOCAL_SSF
>>in your CPPFLAGS.

s/\./ to the desired ldapi:// SSF./


>Hi Kurt,
>Thanks for the response. I recompiled OpenLDAP with this option. In fact here are all my flags/options/configure statements:
>export CPPFLAGS='-I/usr/local/BerkeleyDB.4.2/include -I/usr/include -I/usr/include/openssl -DOPENSSL_NO_KRB5 -DLDAP_PVT_LOCAL_SSF'
>export LDFLAGS='-L/usr/local/BerkeleyDB.4.2/lib -L/lib/tls -L/lib'
>./configure --sysconfdir=/etc --enable-bdb=yes --disable-ldbm
>sudo make install
>Then I start slapd:
>/usr/local/libexec/slapd -u ldap -g ldap -h "ldap:// ldapi:///"
>And then I still get this:
>search: 2
>result: 13 Confidentiality required
>text: stronger confidentiality required
>And of course, like I said, I have "security ssf=128" in the /etc/openldap.conf global configuration.