[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPI mechanism too weak for this user

To: Frank Crow <fjcrow2008@gmail.com>
Subject: Re: LDAPI mechanism too weak for this user
From: Dan White <dwhite@cafedemocracy.org>
Date: Thu, 7 Apr 2016 15:47:25 -0500
Cc: "openldap-techn." <openldap-technical@openldap.org>
Content-disposition: inline
In-reply-to: <CAB+L7KeA-q3-qcbPF0Hg8UNkyMswUUqN1L8xoKPftSR9jgRTNQ@mail.gmail.com>
References: <CAB+L7KeA-q3-qcbPF0Hg8UNkyMswUUqN1L8xoKPftSR9jgRTNQ@mail.gmail.com>
User-agent: Mutt/1.5.24 (2015-08-30)

On 04/07/16 16:16 -0400, Frank Crow wrote:

I have locked down my server to disallow anonymous binds and set the
SSF=128.   I also have SaslSecProps: noplain,noanonymous,minssf=128

Which all seems to work fine for my usage with one exception.   If I try to
use any of the command line tools with "-Y EXTERNAL -H ldapi:///", I now
get:

additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL
is too weak

Is there some configuration item that I can change to allow that work while
maintaining my existing policy of no anonymous binds for everything else,
etc?


Set olcLocalSSF to your desired value within your server config.

--
Dan White

References:
- LDAPI mechanism too weak for this user
  - From: Frank Crow <fjcrow2008@gmail.com>

Prev by Date: LDAPI mechanism too weak for this user
Next by Date: Re: LDAPI mechanism too weak for this user
Index(es):
- Chronological
- Thread