On 07/11/2018 08:52 PM, Norman Gray wrote:
I would have thought (possibly naively) that StartTLS was unnecessary
when connecting to slapd through a unix socket -- the client and the
server are on the same machine, and so don't need to be reassured about
each other's identity.
However this seems not to be be the case:
% ldapsearch -LLL -H ldapi://%2Fvar%2Frun%2Fopenldap%2Fldapi
ldap_sasl_interactive_bind_s: Confidentiality required (13)
additional info: stronger confidentiality required
You want to set localSSF in your config to match the minimum SSF you've
configured (the default is 71).
'localSSF' is old slapd.conf name and 'olcLocalSSF' the accompanying
LDAP attribute in cn=config.
So add to cn=config: