Dieter Kluenter wrote:
Am Wed, 29 Dec 2010 16:50:17 +0000
schrieb Brian Candler<[email protected]>:
On Wed, Dec 29, 2010 at 07:57:43AM +0100, Dieter Kluenter wrote:
The default ssf of ldapi is 71, but you may change localSSF in
slapd.conf(5).
[...]
Thank you, that is very clear.
Having changed that, I can use EXTERNAL with minssf=112, but not
GSSAPI. I find that if I set minssf=56 it's fine, but at minssf=57
it isn't.
It looks like this is a fundamental limitation of the GSSAPI:
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2006-September/000628.html
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2006-September/000635.html
FYI, here's what I see with minssf=57 (the 'No such attribute' error
is somewhat confusing)
r...@noc:~# ldapsearch
ldap_sasl_interactive_bind_s: No such attribute (16)
r...@noc:~# ldapsearch -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Inappropriate authentication (48)
additional info: SASL(-15): mechanism too weak for this user:
mech GSSAPI is too weak
That is because Kerberos DES, und thus GSSAPI, only has a security
strength factor of 56.
But this value is pure fiction, it's an arbitrary value hardcoded into the
SASL gssapi plugin. Generally Kerberos is using triple-DES today, or AES.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
