[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos/GSSAPI issues



On Wed, Dec 29, 2010 at 07:57:43AM +0100, Dieter Kluenter wrote:
> The default ssf of ldapi is 71, but you may change localSSF in
> slapd.conf(5).
> [...]

Thank you, that is very clear.

Having changed that, I can use EXTERNAL with minssf=112, but not GSSAPI.  I
find that if I set minssf=56 it's fine, but at minssf=57 it isn't.

It looks like this is a fundamental limitation of the GSSAPI:
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2006-September/000628.html
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2006-September/000635.html

FYI, here's what I see with minssf=57 (the 'No such attribute' error is
somewhat confusing)

root@noc:~# ldapsearch
ldap_sasl_interactive_bind_s: No such attribute (16)
root@noc:~# ldapsearch -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Inappropriate authentication (48)
	additional info: SASL(-15): mechanism too weak for this user: mech GSSAPI is too weak

Regards,

Brian.