[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldapi security level?
Thanks for the answers, and I don't need help anymore, but just to
complete things: I'm still a bit confused here.
Kurt D. Zeilenga writes:
>Hallvard B Furuseth wrote:
>>Isn't ldapi:/// secure?
>
> It is not completely without fear of risk; but generally
> the fear is generally considered low in comparison to
> other schemes.
>
>>slapd.conf contains:
>>
>> # Require TLS/SSL for Simple Bind with password and for updates.
>> security simple_bind=128 update_ssf=128
>> # Don't accept unprotected passwords, d'ont show passwords.
>> access to attr=userPassword by * ssf=128 auth
>
> ldapi:/// has an implicit SSF of 71 (LDAP_PVT_SASL_LOCAL_SSF
> in ldap_pvt.h). You can reset this if you find it too low
> (or too high).
Well, I don't want to change it when I don't know how that number was
arrived at. It seems strange to me that it has been given a lower
security level than TLS if it is considered more secure.
Howard Chu <hyc@symas.com> wrote:
>> # /ldap/usr/bin/ldapmodify -x -H ldapi:/// -D ... -w ... -f ...
>> ldap_bind: Confidentiality required (13)
>> additional info: confidentiality required
>
> But Simple Binds ( -x ) are not.
>
> You have to use SASL/EXTERNAL.
Eh? Simple Bind is secure enough if the LDAP connection (if ldapi
can be called a connection) is secure.
How do I use SASL/EXTERNAL with ldapi?
--
Hallvard