Re: Enforce the user of Kerberos for password checking?
Hi,
On Sun, Aug 01, 2010 at 01:09:26AM +0200, Petter Reinholdtsen wrote:
>
> At the moment the LDAP server in Squeeze is set up to allow all users
> to check their password using LDAP bind, but without enforcing
> encrypted connections. This can cause the password to be sent in
> clear text over the net.
>
> I'm not sure how to to change the slapd configuration to enforce
> encryption via ldap://, while allowing ldapi:// to connect without
> encryption. The latter is required to get Kerberos working.
[...]
> Are there better ways to do this?
I currently can't test, but perhaps we can increase the ssf to the old
value again. This will block all connections from ldapi://. To again
allow these local connections we need to set the ssf manually, as
described in:
<URL:http://www.openldap.org/lists/openldap-technical/200906/msg00109.html>
>From the slapd.conf man page:
localSSF <SSF>
Specifies the Security Strength Factor (SSF) to be given local
LDAP sessions, such as those to the ldapi:// listener. For a
description of SSF values, see sasl-secprops's minssf option
description. The default is 71.
Regards,
Andi
Reply to: