Brian Candler wrote:
Supplementary question: I tried to set minssf so as to require encryption, like this:
# ldapmodify -Y EXTERNAL -H ldapi:///<<EOS dn: cn=config replace: olcSaslRealm olcSaslRealm: WS.NSRC.ORG
replace: olcSaslSecProps olcSaslSecProps: noanonymous,noplain,minssf=112 EOS
Unfortunately I now seem to have locked myself out from using the EXTERNAL mechanism:
# ldapsearch -s base -b "cn=config" -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Inappropriate authentication (48) additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL is too weak
So: (a) it would be nice to know how to recover from this. If I stop slapd and edit /etc/ldap/slapd.d/cn=config.ldif directly, that seems to be OK, but are there any risks in directly manipulating the config in this way?
The main risk is that if you enter any typos or syntax errors, slapd will refuse to start. You should probably use slapmodify instead, so at least you'll get some syntax checking.
(b) how can I enforce encryption for Kerberos users without locking myself out of EXTERNAL?
Read the slapd-config(5) manpage, olcLocalSSF.