On 26. juli 2018 09:04, Dieter Klünter wrote:
Am Thu, 26 Jul 2018 08:19:34 +0200 schrieb Michael Ströder michael@stroeder.com:
On 07/26/2018 04:47 AM, Ryan Tandy wrote:
I propose increasing the default olcLocalSSF to 128. Mentioned initially on IRC, now bringing it to the list for completeness and archival.
In typical setups people want to require TLS *or* ldapi, and ssf=128 seems like a pretty common olcSecurity setting for current systems.
+1
I'd rather leave it alone.
I prefer to leave it alone, except maybe clarify the doc. Currenlty if you want ldapi Bind and you have set ssf, you probably set it high so must also set localssf. If we pick some higher default, then some people who set ssf must also set localssf, others need not.
I were implementing a new LDAP server, I'd pick a higher default. But I'd rather not weaken security defaults in existing software.
But why not choosing an even higher value like 256?
Indeed. However, any particular value will be wrong for someone. Depends on how safe your filesystem setup is and whether it's easier to break in to get at the ldapi socket than it is to just attack slapd.
I really wonder why it was set to 71.
As Kurt mentioned on 1st. LDAPCon in Cologne, it is higher value than 56 and less than 128.
I.e. between DES (56) and "RC4, Blowfish and other modern strong ciphers" (128) described for olcSaslSecProps minssf in man slapd-config. Also lower than triple DES (112).
Maybe a number of people should update their "pretty common olcSecurity setting" of 128:-) I don't know the values for more modern ciphers.