Re: ldapi security level?

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Thanks for the answers, and I don't need help anymore, but just to
complete things: I'm still a bit confused here.

Kurt D. Zeilenga writes:
>Hallvard B Furuseth wrote:
>>Isn't ldapi:/// secure?
> 
> It is not completely without fear of risk; but generally
> the fear is generally considered low in comparison to
> other schemes.
> 
>>slapd.conf contains:
>>
>>  # Require TLS/SSL for Simple Bind with password and for updates.
>>  security      simple_bind=128 update_ssf=128
>>  # Don't accept unprotected passwords, d'ont show passwords.
>>  access to attr=userPassword by * ssf=128 auth
> 
> ldapi:/// has an implicit SSF of 71 (LDAP_PVT_SASL_LOCAL_SSF
> in ldap_pvt.h).  You can reset this if you find it too low
> (or too high).

Well, I don't want to change it when I don't know how that number was
arrived at.  It seems strange to me that it has been given a lower
security level than TLS if it is considered more secure.

Howard Chu <hyc@symas.com> wrote:
>>   # /ldap/usr/bin/ldapmodify -x -H ldapi:/// -D ... -w ... -f ...
>>   ldap_bind: Confidentiality required (13)
>>           additional info: confidentiality required
>
> But Simple Binds ( -x ) are not.
>
> You have to use SASL/EXTERNAL.

Eh?  Simple Bind is secure enough if the LDAP connection (if ldapi
can be called a connection) is secure.

How do I use SASL/EXTERNAL with ldapi?

-- 
Hallvard