[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPI mechanism too weak for this user

To: openldap-technical@openldap.org
Subject: Re: LDAPI mechanism too weak for this user
From: Dieter Klünter <dieter@dkluenter.de>
Date: Fri, 8 Apr 2016 09:11:56 +0200
In-reply-to: <CAB+L7KeA-q3-qcbPF0Hg8UNkyMswUUqN1L8xoKPftSR9jgRTNQ@mail.gmail.com>
Organization: AVCI
References: <CAB+L7KeA-q3-qcbPF0Hg8UNkyMswUUqN1L8xoKPftSR9jgRTNQ@mail.gmail.com>

Am Thu, 7 Apr 2016 16:16:47 -0400
schrieb Frank Crow <fjcrow2008@gmail.com>:

> I have locked down my server to disallow anonymous binds and set the
> SSF=128.   I also have SaslSecProps: noplain,noanonymous,minssf=128
> 
> Which all seems to work fine for my usage with one exception.   If I
> try to use any of the command line tools with "-Y EXTERNAL -H
> ldapi:///", I now get:
> 
> additional info: SASL(-15): mechanism too weak for this user: mech
> EXTERNAL is too weak
> 
> Is there some configuration item that I can change to allow that work
> while maintaining my existing policy of no anonymous binds for
> everything else, etc?

The default ssf for ldapi is 71, but you may configure a security
strength factor to your liking. See manual page slapd.conf(5) localSSF.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: LDAPI mechanism too weak for this user
  - From: Michael Wandel <m.wandel@t-online.de>

References:
- LDAPI mechanism too weak for this user
  - From: Frank Crow <fjcrow2008@gmail.com>

Prev by Date: Re: LDAPI mechanism too weak for this user
Next by Date: Re: LDAPI mechanism too weak for this user
Index(es):
- Chronological
- Thread