[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Kerberos/GSSAPI issues
- To: openldap-technical@openldap.org
- Subject: Re: Kerberos/GSSAPI issues
- From: Brian Candler <B.Candler@pobox.com>
- Date: Tue, 28 Dec 2010 09:41:33 +0000
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=mGj//1QMSwqvO/gYnnz0L0Bpdw8=; b=r2BX1hS ZPtblYt4LMflnpvMAvoxVVrCOHZ+h/PdgE9TCz3gI0kCtrQ6jJCShCuLKvKTGGHN Askb7R0yiDJyiWFPcBzvKjMdHNmxIlEpyx+dYtm9+DFi1dmlCNt5+85AYnTYMXF1 0OgFGv9XKUUE3JNZiqGf8R1LPaXMmyY4ShjI=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=sasl; b=l1Zzp/aQE5C9pmZQTGUZt3+bGMQNUjCJP TLbHcdSIV7qN1wbFPdMJlNX0qlloXi0F9BlHOW0xiB2WNtbk9dcqMxsWvKyxK1Hu S8Ek86T33rg8LgbWNl4XV8ByZSwtWiVjCBo2TbYjDnb+Dz1TcZO33hqp4oq7S/Pv GMQk8uylw4=
- In-reply-to: <20101228092656.GA4437@talktalkplc.com>
- References: <20101228092656.GA4437@talktalkplc.com>
- User-agent: Mutt/1.5.20 (2009-06-14)
Supplementary question: I tried to set minssf so as to require encryption,
like this:
# ldapmodify -Y EXTERNAL -H ldapi:/// <<EOS
dn: cn=config
replace: olcSaslRealm
olcSaslRealm: WS.NSRC.ORG
-
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,noplain,minssf=112
EOS
Unfortunately I now seem to have locked myself out from using the EXTERNAL
mechanism:
# ldapsearch -s base -b "cn=config" -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Inappropriate authentication (48)
additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL is too weak
So:
(a) it would be nice to know how to recover from this. If I stop slapd and
edit /etc/ldap/slapd.d/cn\=config.ldif directly, that seems to be OK, but
are there any risks in directly manipulating the config in this way?
(b) how can I enforce encryption for Kerberos users without locking myself
out of EXTERNAL?
Thanks,
Brian.