[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapmodify -Y EXTERNAL failure - Confidentiality required (13)

To: Mark Foster <mdf@extrahop.com>
Subject: Re: ldapmodify -Y EXTERNAL failure - Confidentiality required (13)
From: Ryan Tandy <ryan@nardis.ca>
Date: Wed, 25 Jul 2018 18:11:04 -0700
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nardis.ca; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=PZAUImLllnGNvsuFahyLDKSgtPP9GXWkHfH3BTjnKIk=; b=rctwvRshO9MTVN7c2IxwhFPqT8EkTv3wVGI9pR5yKzWot+AaD4+NP+s73vwDIDQYfg RitV88ujY4MjVXAr59HzeHHjS4Qx58eDa3Dhv0PSsD9VlyWa4mzQvIcrsALJQ4g1arWA 8O5JdxaHXP3pQ3k5hrxCjQdDOuO0PuHdAAJMc=
In-reply-to: <CAKaR4i8XuK3o-6d98poBXSnMEc2eSD23su09ww_cunytVHokOg@mail.gmail.com>
Mail-followup-to: Mark Foster <mdf@extrahop.com>, openldap-technical@openldap.org
References: <CAKaR4i8XuK3o-6d98poBXSnMEc2eSD23su09ww_cunytVHokOg@mail.gmail.com>
User-agent: NeoMutt/20170113 (1.7.2)

On Tue, Jul 24, 2018 at 10:38:10AM -0700, Mark Foster wrote:

The log says
slapd[1266]: conn=6619437 op=0
BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
mech=EXTERNAL sasl_ssf=0 ssf=71

This is my olcSecurity setting:
olcSecurity: ssf=128 simple_bind=128

How would I fix this? It seems to be a catch-22.

The olcLocalSSF setting controls the SSF assigned to ldapi://connections. Your log above shows that your connection got an SSF of 71,which is the default value for olcLocalSSF; meanwhile you've configuredolcSecurity to require a minimum of 128. So you need to increaseolcLocalSSF to at least 128, or reduce olcSecurity.

References:
- ldapmodify -Y EXTERNAL failure - Confidentiality required (13)
  - From: Mark Foster <mdf@extrahop.com>

Prev by Date: Re: ldapmodify -Y EXTERNAL failure - Confidentiality required (13)
Next by Date: Syncrepl + suffixmassage + uniqueMember
Index(es):
- Chronological
- Thread