Hi, On Sun, Aug 01, 2010 at 01:09:26AM +0200, Petter Reinholdtsen wrote: > > At the moment the LDAP server in Squeeze is set up to allow all users > to check their password using LDAP bind, but without enforcing > encrypted connections. This can cause the password to be sent in > clear text over the net. > > I'm not sure how to to change the slapd configuration to enforce > encryption via ldap://, while allowing ldapi:// to connect without > encryption. The latter is required to get Kerberos working.
[...] > Are there better ways to do this? I currently can't test, but perhaps we can increase the ssf to the old value again. This will block all connections from ldapi://. To again allow these local connections we need to set the ssf manually, as described in: <URL:http://www.openldap.org/lists/openldap-technical/200906/msg00109.html> >From the slapd.conf man page: localSSF <SSF> Specifies the Security Strength Factor (SSF) to be given local LDAP sessions, such as those to the ldapi:// listener. For a description of SSF values, see sasl-secprops's minssf option description. The default is 71. Regards, Andi -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
