[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapi and StartTLS

On 07/11/2018 08:52 PM, Norman Gray wrote:
I would have thought (possibly naively) that StartTLS was unnecessary when connecting to slapd through a unix socket -- the client and the server are on the same machine, and so don't need to be reassured about each other's identity.


  However this seems not to be be the case:

    % ldapsearch -LLL -H ldapi://%2Fvar%2Frun%2Fopenldap%2Fldapi '(uid=foo)'
     ldap_sasl_interactive_bind_s: Confidentiality required (13)
          additional info: stronger confidentiality required

You want to set localSSF in your config to match the minimum SSF you've configured (the default is 71).

'localSSF' is old slapd.conf name and 'olcLocalSSF' the accompanying LDAP attribute in cn=config.

dn: cn=config
> [..]
olcSecurity: ssf=128

So add to cn=config:

olcLocalSSF: 128

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature