[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ssf=0 for localhost

To: Nathan Huesken <openldap@lonely-star.org>
Subject: Re: ssf=0 for localhost
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 21 Feb 2008 20:18:41 +0100
Cc: openldap-software@openldap.org
In-reply-to: <20080221175050.GA24365@SamZwo>
References: <20080221175050.GA24365@SamZwo>

Nathan Huesken writes:
> I have setup ldap with tls. To disallow users to authenticate without
> security form differenct computers, I added
>
> security ssf=64
>
> to slapd.conf. Now I want local users (connections from localhost) to
> allow authenticating without any tls or SASL. I added:
>
> localSSF 0

Read the localSSF description in the slapd.conf manpage.

localSSF applies to ldapi:// connections, not ldap://localhost/
connections.  And what you just did was assign ldapi:// users
a security strength 0, which disallows them, rather than the default
71, which allows them on your setup (since it is above 64).

Do not use ldapi:// with clients or servers before OpenLDAP 2.3.35,
it had security issues.

-- 
Hallvard

References:
- ssf=0 for localhost
  - From: Nathan Huesken <openldap@lonely-star.org>

Prev by Date: Re: slapd does not answer in time
Next by Date: Re: OpenLDAP and RFC 2489
Index(es):
- Chronological
- Thread