[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos/GSSAPI issues



Brian Candler wrote:
Supplementary question: I tried to set minssf so as to require encryption,
like this:

# ldapmodify -Y EXTERNAL -H ldapi:///<<EOS
dn: cn=config
replace: olcSaslRealm
olcSaslRealm: WS.NSRC.ORG
-
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,noplain,minssf=112
EOS

Unfortunately I now seem to have locked myself out from using the EXTERNAL
mechanism:

# ldapsearch -s base -b "cn=config" -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Inappropriate authentication (48)
	additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL is too weak

So:
(a) it would be nice to know how to recover from this. If I stop slapd and
edit /etc/ldap/slapd.d/cn\=config.ldif directly, that seems to be OK, but
are there any risks in directly manipulating the config in this way?

The main risk is that if you enter any typos or syntax errors, slapd will refuse to start. You should probably use slapmodify instead, so at least you'll get some syntax checking.

(b) how can I enforce encryption for Kerberos users without locking myself
out of EXTERNAL?

Read the slapd-config(5) manpage, olcLocalSSF.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/