[Date Prev][Date Next]
Re: Kerberos/GSSAPI issues
Brian Candler wrote:
Supplementary question: I tried to set minssf so as to require encryption,
# ldapmodify -Y EXTERNAL -H ldapi:///<<EOS
Unfortunately I now seem to have locked myself out from using the EXTERNAL
# ldapsearch -s base -b "cn=config" -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Inappropriate authentication (48)
additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL is too weak
(a) it would be nice to know how to recover from this. If I stop slapd and
edit /etc/ldap/slapd.d/cn\=config.ldif directly, that seems to be OK, but
are there any risks in directly manipulating the config in this way?
The main risk is that if you enter any typos or syntax errors, slapd will
refuse to start. You should probably use slapmodify instead, so at least
you'll get some syntax checking.
(b) how can I enforce encryption for Kerberos users without locking myself
out of EXTERNAL?
Read the slapd-config(5) manpage, olcLocalSSF.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/