On 08.04.2016 09:11, Dieter Klünter wrote:
Am Thu, 7 Apr 2016 16:16:47 -0400 schrieb Frank Crow fjcrow2008@gmail.com:
I have locked down my server to disallow anonymous binds and set the SSF=128. I also have SaslSecProps: noplain,noanonymous,minssf=128
Which all seems to work fine for my usage with one exception. If I try to use any of the command line tools with "-Y EXTERNAL -H ldapi:///", I now get:
additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL is too weak
Is there some configuration item that I can change to allow that work while maintaining my existing policy of no anonymous binds for everything else, etc?
The default ssf for ldapi is 71, but you may configure a security strength factor to your liking. See manual page slapd.conf(5) localSSF.
another way is to make a ACL with different restrictions for ssf. See the man page slapd.access and the official documentation section 8.4.9
best regards Michael
-Dieter