[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Kerberos/GSSAPI issues
Am Wed, 29 Dec 2010 16:50:17 +0000
schrieb Brian Candler <B.Candler@pobox.com>:
> On Wed, Dec 29, 2010 at 07:57:43AM +0100, Dieter Kluenter wrote:
> > The default ssf of ldapi is 71, but you may change localSSF in
> > slapd.conf(5).
> > [...]
>
> Thank you, that is very clear.
>
> Having changed that, I can use EXTERNAL with minssf=112, but not
> GSSAPI. I find that if I set minssf=56 it's fine, but at minssf=57
> it isn't.
>
> It looks like this is a fundamental limitation of the GSSAPI:
> http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2006-September/000628.html
> http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2006-September/000635.html
>
> FYI, here's what I see with minssf=57 (the 'No such attribute' error
> is somewhat confusing)
>
> root@noc:~# ldapsearch
> ldap_sasl_interactive_bind_s: No such attribute (16)
> root@noc:~# ldapsearch -Y GSSAPI
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Inappropriate authentication (48)
> additional info: SASL(-15): mechanism too weak for this user:
> mech GSSAPI is too weak
That is because Kerberos DES, und thus GSSAPI, only has a security
strength factor of 56.
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E