[Date Prev][Date Next]
Re: Increase default olcLocalSSF to 128
On Thu, Jul 26, 2018 at 01:34:52PM +0200, Hallvard Breien Furuseth wrote:
I were implementing a new LDAP server, I'd pick a higher default.
But I'd rather not weaken security defaults in existing software.
In IRC, hbf went into a little more detail on what was meant by this: If
you have an existing deployment with required SSF 100, then ldapi
connections are not permitted and the admin may be expecting that.
Upgrading slapd would then start allowing those ldapi connections, if
there is no explicit olcLocalSSF: 71 setting, and the admin might not be
expecting it, if they didn't read the upgrade notes carefully.
In general, changing defaults in a major release (i.e. 2.5) with
documentation call-outs should be possible, but hbf's point is that for
a security setting we should be conservative, and I agree with that and
withdraw my proposal.