I have locked down my server to disallow anonymous binds and set the SSF=128. I also have SaslSecProps: noplain,noanonymous,minssf=128
Which all seems to work fine for my usage with one exception. If I try to use any of the command line tools with "-Y EXTERNAL -H ldapi:///", I now get:
additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL is too weak
Is there some configuration item that I can change to allow that work while maintaining my existing policy of no anonymous binds for everything else, etc?
Thanks,
On 04/07/16 16:16 -0400, Frank Crow wrote:
I have locked down my server to disallow anonymous binds and set the SSF=128. I also have SaslSecProps: noplain,noanonymous,minssf=128
Which all seems to work fine for my usage with one exception. If I try to use any of the command line tools with "-Y EXTERNAL -H ldapi:///", I now get:
additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL is too weak
Is there some configuration item that I can change to allow that work while maintaining my existing policy of no anonymous binds for everything else, etc?
Set olcLocalSSF to your desired value within your server config.
Am Thu, 7 Apr 2016 16:16:47 -0400 schrieb Frank Crow fjcrow2008@gmail.com:
I have locked down my server to disallow anonymous binds and set the SSF=128. I also have SaslSecProps: noplain,noanonymous,minssf=128
Which all seems to work fine for my usage with one exception. If I try to use any of the command line tools with "-Y EXTERNAL -H ldapi:///", I now get:
additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL is too weak
Is there some configuration item that I can change to allow that work while maintaining my existing policy of no anonymous binds for everything else, etc?
The default ssf for ldapi is 71, but you may configure a security strength factor to your liking. See manual page slapd.conf(5) localSSF.
-Dieter
On 08.04.2016 09:11, Dieter Klünter wrote:
Am Thu, 7 Apr 2016 16:16:47 -0400 schrieb Frank Crow fjcrow2008@gmail.com:
I have locked down my server to disallow anonymous binds and set the SSF=128. I also have SaslSecProps: noplain,noanonymous,minssf=128
Which all seems to work fine for my usage with one exception. If I try to use any of the command line tools with "-Y EXTERNAL -H ldapi:///", I now get:
additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL is too weak
Is there some configuration item that I can change to allow that work while maintaining my existing policy of no anonymous binds for everything else, etc?
The default ssf for ldapi is 71, but you may configure a security strength factor to your liking. See manual page slapd.conf(5) localSSF.
another way is to make a ACL with different restrictions for ssf. See the man page slapd.access and the official documentation section 8.4.9
best regards Michael
-Dieter
openldap-technical@openldap.org
-
Dan White -
Dieter Klünter -
Frank Crow -
Michael Wandel