Re: ldapi security level?

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 12:53 AM 7/5/2004, Hallvard B Furuseth wrote:
>Thanks for the answers, and I don't need help anymore, but just to
>complete things: I'm still a bit confused here.
>
>Kurt D. Zeilenga writes:
>>Hallvard B Furuseth wrote:
>>>Isn't ldapi:/// secure?
>> 
>> It is not completely without fear of risk; but generally
>> the fear is generally considered low in comparison to
>> other schemes.
>> 
>>>slapd.conf contains:
>>>
>>>  # Require TLS/SSL for Simple Bind with password and for updates.
>>>  security      simple_bind=128 update_ssf=128
>>>  # Don't accept unprotected passwords, d'ont show passwords.
>>>  access to attr=userPassword by * ssf=128 auth
>> 
>> ldapi:/// has an implicit SSF of 71 (LDAP_PVT_SASL_LOCAL_SSF
>> in ldap_pvt.h).  You can reset this if you find it too low
>> (or too high).
>
>Well, I don't want to change it when I don't know how that number was
>arrived at.

I choose the number so that it would higher than "weak" TLS
ciphers but lower than "strong" TLS ciphers.

>It seems strange to me that it has been given a lower
>security level than TLS if it is considered more secure.

So, maybe, some don't consider ldapi:// to be "more secure"
than TLS with a "strong" TLS cipher.  I find myself using
TLS (with strong ciphers) over ldapi://.  I don't find
that all that strange.

>Howard Chu <hyc@symas.com> wrote:

See Howard's response.

Kurt