Hello together,
I have setup ldap with tls. To disallow users to authenticate without security form differenct computers, I added
security ssf=64
to slapd.conf. Now I want local users (connections from localhost) to allow authenticating without any tls or SASL. I added:
localSSF 0
But it does not work :(. I get the "Confidentiality required (13)" error.
How can it be done?
Thanks! nathan
Nathan Huesken writes:
I have setup ldap with tls. To disallow users to authenticate without security form differenct computers, I added
security ssf=64
to slapd.conf. Now I want local users (connections from localhost) to allow authenticating without any tls or SASL. I added:
localSSF 0
Read the localSSF description in the slapd.conf manpage.
localSSF applies to ldapi:// connections, not ldap://localhost/ connections. And what you just did was assign ldapi:// users a security strength 0, which disallows them, rather than the default 71, which allows them on your setup (since it is above 64).
Do not use ldapi:// with clients or servers before OpenLDAP 2.3.35, it had security issues.
openldap-software@openldap.org