Am Tue, 28 Dec 2010 09:41:33 +0000 schrieb Brian Candler B.Candler@pobox.com:
Supplementary question: I tried to set minssf so as to require encryption, like this:
# ldapmodify -Y EXTERNAL -H ldapi:/// <<EOS dn: cn=config replace: olcSaslRealm olcSaslRealm: WS.NSRC.ORG
replace: olcSaslSecProps olcSaslSecProps: noanonymous,noplain,minssf=112 EOS
Unfortunately I now seem to have locked myself out from using the EXTERNAL mechanism:
# ldapsearch -s base -b "cn=config" -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Inappropriate authentication (48) additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL is too weak
The default ssf of ldapi is 71, but you may change localSSF in slapd.conf(5). [...]
-Dieter