[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos/GSSAPI issues

To: openldap-technical@openldap.org
Subject: Re: Kerberos/GSSAPI issues
From: Dieter Kluenter <dieter@dkluenter.de>
Date: Wed, 29 Dec 2010 07:57:43 +0100
In-reply-to: <20101228094133.GA6687@talktalkplc.com>
Organization: AVCI
References: <20101228092656.GA4437@talktalkplc.com> <20101228094133.GA6687@talktalkplc.com>

Am Tue, 28 Dec 2010 09:41:33 +0000
schrieb Brian Candler <B.Candler@pobox.com>:

> Supplementary question: I tried to set minssf so as to require
> encryption, like this:
> 
> # ldapmodify -Y EXTERNAL -H ldapi:/// <<EOS
> dn: cn=config
> replace: olcSaslRealm
> olcSaslRealm: WS.NSRC.ORG
> -
> replace: olcSaslSecProps
> olcSaslSecProps: noanonymous,noplain,minssf=112
> EOS
> 
> Unfortunately I now seem to have locked myself out from using the
> EXTERNAL mechanism:
> 
> # ldapsearch -s base -b "cn=config" -Y EXTERNAL -H ldapi:///
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Inappropriate authentication (48)
> 	additional info: SASL(-15): mechanism too weak for this user:
> mech EXTERNAL is too weak

The default ssf of ldapi is 71, but you may change localSSF in
slapd.conf(5).
[...]

-Dieter


-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: Kerberos/GSSAPI issues
  - From: Brian Candler <B.Candler@pobox.com>

References:
- Kerberos/GSSAPI issues
  - From: Brian Candler <B.Candler@pobox.com>
- Re: Kerberos/GSSAPI issues
  - From: Brian Candler <B.Candler@pobox.com>

Prev by Date: one system won't authenticate
Next by Date: Re: invalid credentials (49) for normal user
Index(es):
- Chronological
- Thread