[Date Prev][Date Next]
Re: security ssf and gssapi auto selection
At 04:06 AM 3/8/2006, Mivz wrote:
>I have configured my ldap server to use GSSAPI.
>If I do not use the security ssf statement in my slapd.conf, it auto selects GSSAPI authentication:
>SASL/GSSAPI authentication started
>SASL username: me@FQDN
>SASL SSF: 56
>SASL installing layers
># extended LDIF
># base <> with scope sub
># filter: (objectclass=*)
># requesting: gssapi
>But when I enable the security ssf statement:
>security ssf=56 update_ssf=112 simple_bind=56
>ldap_sasl_interactive_bind_s: Confidentiality required (13)
> additional info: confidentiality required
>And I have to specify -Y gssapi whit my ldapsearch and then it works as before.
>The exual result is the same.
>Wy is it that it won't auto select GSSAPI when confidentiality is required? It does not even try.
>And, of course, how can this be solved?
ssf=56 disallows the unprotected search used in auto selection
of the SASL mechanism. You might look at replacing ssf=56
with ACLs that restrict unprotected search to just the
attributes of the root DSE required for auto-selection
or just not relying on auto-selection. There are various
other restrictions you might experiment with, in particular
those of the 'require' slapd.conf(5) directive.