[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAPI mechanism too weak for this user

To: "openldap-techn." <openldap-technical@openldap.org>
Subject: LDAPI mechanism too weak for this user
From: Frank Crow <fjcrow2008@gmail.com>
Date: Thu, 7 Apr 2016 16:16:47 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to; bh=8nTZuZ2zkEyk0qGAhNAjiEYCgc+IHqXoagbyNMqmWzk=; b=B1agM5vLDAjmTa6UHAWY6gGIIz71UuS5jF78KSgebxVRiCMgaTn66kTe3ZT8UoF2H5 mUQGTpbTNsekVhlNOttlL4aZodYcPoi1nWFEJShJiXOXXOB2gsz94A7UIAcna5DMknT9 fYr54B6lWdT9mJWZ2OmIwLf2DDeZBiaKvOL2fxAFsFwWtHEa+iQEpFmoFTiUgK9urb3c DH2RSMwubtjrW0QLD13/RsYXRQtkMEytkTrOVBElTXrMaPTrhH22nObR4welrfcmikD3 vz8QlQKj21AboeZktqTI0+jQkevJQRjN/srpgmAvBDrlHTd7C4mjeq2YO5i3lpQFW2tr aCTw==

I have locked down my server to disallow anonymous binds and set the SSF=128. I also have SaslSecProps: noplain,noanonymous,minssf=128

Which all seems to work fine for my usage with one exception. If I try to use any of the command line tools with "-Y EXTERNAL -H ldapi:///", I now get:

additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL is too weak

Is there some configuration item that I can change to allow that work while maintaining my existing policy of no anonymous binds for everything else, etc?

Thanks,

Frank

Follow-Ups:
- Re: LDAPI mechanism too weak for this user
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: LDAPI mechanism too weak for this user
  - From: Dieter Klünter <dieter@dkluenter.de>

Prev by Date: TLS error/warning messages output
Next by Date: Re: LDAPI mechanism too weak for this user
Index(es):
- Chronological
- Thread