[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapi and StartTLS

To: Norman Gray <gray@nxg.name>, openldap-technical <openldap-technical@openldap.org>
Subject: Re: ldapi and StartTLS
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 16 Jul 2018 09:32:04 +0200
In-reply-to: <582721E8-C6A3-4A79-9F5F-37F00A49ADF8@nxg.name>
References: <582721E8-C6A3-4A79-9F5F-37F00A49ADF8@nxg.name>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

On 07/11/2018 08:52 PM, Norman Gray wrote:

I would have thought (possibly naively) that StartTLS was unnecessarywhen connecting to slapd through a unix socket -- the client and theserver are on the same machine, and so don't need to be reassured abouteach other's identity.


Yes.

  However this seems not to be be the case:

% ldapsearch -LLL -H ldapi://%2Fvar%2Frun%2Fopenldap%2Fldapi'(uid=foo)'

     ldap_sasl_interactive_bind_s: Confidentiality required (13)
          additional info: stronger confidentiality required

You want to set localSSF in your config to match the minimum SSF you'veconfigured (the default is 71).

'localSSF' is old slapd.conf name and 'olcLocalSSF' the accompanyingLDAP attribute in cn=config.

dn: cn=config

> [..]

olcSecurity: ssf=128


So add to cn=config:

olcLocalSSF: 128

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- ldapi and StartTLS
  - From: "Norman Gray" <gray@nxg.name>

Prev by Date: Re: ldapi and StartTLS
Next by Date: Re: Where does the debugging message come from?
Index(es):
- Chronological
- Thread