Supplementary question: I tried to set minssf so as to require encryption, like this:
# ldapmodify -Y EXTERNAL -H ldapi:/// <<EOS dn: cn=config replace: olcSaslRealm olcSaslRealm: WS.NSRC.ORG - replace: olcSaslSecProps olcSaslSecProps: noanonymous,noplain,minssf=112 EOS
Unfortunately I now seem to have locked myself out from using the EXTERNAL mechanism:
# ldapsearch -s base -b "cn=config" -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Inappropriate authentication (48) additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL is too weak
So: (a) it would be nice to know how to recover from this. If I stop slapd and edit /etc/ldap/slapd.d/cn=config.ldif directly, that seems to be OK, but are there any risks in directly manipulating the config in this way?
(b) how can I enforce encryption for Kerberos users without locking myself out of EXTERNAL?
Thanks,
Brian.