Supplementary question: I tried to set minssf so as to require encryption,
like this:
# ldapmodify -Y EXTERNAL -H ldapi:///<<EOS
dn: cn=config
replace: olcSaslRealm
olcSaslRealm: WS.NSRC.ORG
-
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,noplain,minssf=112
EOS
Unfortunately I now seem to have locked myself out from using the EXTERNAL
mechanism:
# ldapsearch -s base -b "cn=config" -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Inappropriate authentication (48)
additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL is too weak
So:
(a) it would be nice to know how to recover from this. If I stop slapd and
edit /etc/ldap/slapd.d/cn\=config.ldif directly, that seems to be OK, but
are there any risks in directly manipulating the config in this way?