[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldapi security level?
At 12:53 AM 7/5/2004, Hallvard B Furuseth wrote:
>Thanks for the answers, and I don't need help anymore, but just to
>complete things: I'm still a bit confused here.
>
>Kurt D. Zeilenga writes:
>>Hallvard B Furuseth wrote:
>>>Isn't ldapi:/// secure?
>>
>> It is not completely without fear of risk; but generally
>> the fear is generally considered low in comparison to
>> other schemes.
>>
>>>slapd.conf contains:
>>>
>>> # Require TLS/SSL for Simple Bind with password and for updates.
>>> security simple_bind=128 update_ssf=128
>>> # Don't accept unprotected passwords, d'ont show passwords.
>>> access to attr=userPassword by * ssf=128 auth
>>
>> ldapi:/// has an implicit SSF of 71 (LDAP_PVT_SASL_LOCAL_SSF
>> in ldap_pvt.h). You can reset this if you find it too low
>> (or too high).
>
>Well, I don't want to change it when I don't know how that number was
>arrived at.
I choose the number so that it would higher than "weak" TLS
ciphers but lower than "strong" TLS ciphers.
>It seems strange to me that it has been given a lower
>security level than TLS if it is considered more secure.
So, maybe, some don't consider ldapi:// to be "more secure"
than TLS with a "strong" TLS cipher. I find myself using
TLS (with strong ciphers) over ldapi://. I don't find
that all that strange.
>Howard Chu <hyc@symas.com> wrote:
See Howard's response.
Kurt