Re: Enforce the user of Kerberos for password checking?

To: debian-edu@lists.debian.org
Subject: Re: Enforce the user of Kerberos for password checking?
From: "Andreas B. Mundt" <andi.mundt@web.de>
Date: Sun, 1 Aug 2010 03:22:33 +0200
Message-id: <[🔎] 20100801012232.GA3478@siddhartha.sunshine>
In-reply-to: <2fllj8rz1sp.fsf@login2.uio.no>
References: <2fllj8rz1sp.fsf@login2.uio.no>

Hi,

On Sun, Aug 01, 2010 at 01:09:26AM +0200, Petter Reinholdtsen wrote:
> 
> At the moment the LDAP server in Squeeze is set up to allow all users
> to check their password using LDAP bind, but without enforcing
> encrypted connections.  This can cause the password to be sent in
> clear text over the net.
> 
> I'm not sure how to to change the slapd configuration to enforce
> encryption via ldap://, while allowing ldapi:// to connect without
> encryption.  The latter is required to get Kerberos working.

[...] 

> Are there better ways to do this?


I currently can't test, but perhaps we can increase the ssf to the old
value again. This will block all connections from ldapi://. To again
allow these local connections we need to set the ssf manually, as
described in: 
<URL:http://www.openldap.org/lists/openldap-technical/200906/msg00109.html>

>From the slapd.conf man page:

localSSF <SSF>
    Specifies the Security Strength Factor (SSF) to be given local
    LDAP sessions, such as those to the ldapi:// listener. For a
    description of SSF values, see sasl-secprops's minssf option
    description. The default is 71. 


Regards,

	Andi

Reply to:

Follow-Ups:
- Re: Enforce the user of Kerberos for password checking?
  - From: Petter Reinholdtsen <pere@hungry.com>

Next by Date: Content and translation status for the debian-edu-lenny manual
Next by thread: Re: Enforce the user of Kerberos for password checking?
Index(es):
- Date
- Thread