[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPI mechanism too weak for this user

To: Dieter Klünter <dieter@dkluenter.de>, openldap-technical@openldap.org
Subject: Re: LDAPI mechanism too weak for this user
From: Michael Wandel <m.wandel@t-online.de>
Date: Fri, 8 Apr 2016 09:28:36 +0200
In-reply-to: <20160408091156.586d247f@pink.avci.de>
References: <CAB+L7KeA-q3-qcbPF0Hg8UNkyMswUUqN1L8xoKPftSR9jgRTNQ@mail.gmail.com> <20160408091156.586d247f@pink.avci.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.1

On 08.04.2016 09:11, Dieter Klünter wrote:
> Am Thu, 7 Apr 2016 16:16:47 -0400
> schrieb Frank Crow <fjcrow2008@gmail.com>:
> 
>> I have locked down my server to disallow anonymous binds and set the
>> SSF=128.   I also have SaslSecProps: noplain,noanonymous,minssf=128
>>
>> Which all seems to work fine for my usage with one exception.   If I
>> try to use any of the command line tools with "-Y EXTERNAL -H
>> ldapi:///", I now get:
>>
>> additional info: SASL(-15): mechanism too weak for this user: mech
>> EXTERNAL is too weak
>>
>> Is there some configuration item that I can change to allow that work
>> while maintaining my existing policy of no anonymous binds for
>> everything else, etc?
> 
> The default ssf for ldapi is 71, but you may configure a security
> strength factor to your liking. See manual page slapd.conf(5) localSSF.
> 

another way is to make a ACL with different restrictions for ssf. See
the man page slapd.access and the official documentation section 8.4.9

best regards
Michael


> -Dieter
> 


-- 
Michael Wandel
Braakstraße 43
33647 Bielefeld

References:
- LDAPI mechanism too weak for this user
  - From: Frank Crow <fjcrow2008@gmail.com>
- Re: LDAPI mechanism too weak for this user
  - From: Dieter Klünter <dieter@dkluenter.de>

Prev by Date: Re: LDAPI mechanism too weak for this user
Next by Date: slapd ACL - limit bind to employeeType=<various>
Index(es):
- Chronological
- Thread