[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing encryption for external server access while allowing unencrypted localhost connections



At 04:30 PM 9/14/2004, Chris Paul wrote:
>Kurt D. Zeilenga wrote:
>
>>You've required more confidentiality protection than ldapi://
>>purports to provide.  The ldapi:// is, by default, only 71.
>>You can change the SSF by defining the macro LDAP_PVT_LOCAL_SSF
>>in your CPPFLAGS.

s/\./ to the desired ldapi:// SSF./

e.g., -DLDAP_PVT_LOCAL_SSF=128

>Hi Kurt,
>
>Thanks for the response. I recompiled OpenLDAP with this option. In fact here are all my flags/options/configure statements:
>
>export CPPFLAGS='-I/usr/local/BerkeleyDB.4.2/include -I/usr/include -I/usr/include/openssl -DOPENSSL_NO_KRB5 -DLDAP_PVT_LOCAL_SSF'
>export LDFLAGS='-L/usr/local/BerkeleyDB.4.2/lib -L/lib/tls -L/lib'
>./configure --sysconfdir=/etc --enable-bdb=yes --disable-ldbm
>make
>sudo make install
>
>Then I start slapd:
>
>/usr/local/libexec/slapd -u ldap -g ldap -h "ldap://10.10.10.50:389 ldapi:///"
>
>And then I still get this:
>
>search: 2
>result: 13 Confidentiality required
>text: stronger confidentiality required
>
>And of course, like I said, I have "security ssf=128" in the /etc/openldap.conf global configuration.
>
>regards,
>
>CP