[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos/GSSAPI issues



Supplementary question: I tried to set minssf so as to require encryption,
like this:

# ldapmodify -Y EXTERNAL -H ldapi:/// <<EOS
dn: cn=config
replace: olcSaslRealm
olcSaslRealm: WS.NSRC.ORG
-
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,noplain,minssf=112
EOS

Unfortunately I now seem to have locked myself out from using the EXTERNAL
mechanism:

# ldapsearch -s base -b "cn=config" -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Inappropriate authentication (48)
	additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL is too weak

So:
(a) it would be nice to know how to recover from this. If I stop slapd and
edit /etc/ldap/slapd.d/cn\=config.ldif directly, that seems to be OK, but
are there any risks in directly manipulating the config in this way?

(b) how can I enforce encryption for Kerberos users without locking myself
out of EXTERNAL?

Thanks,

Brian.