Re: Increase default olcLocalSSF to 128
I wrote: (...) any particular value will be wrong for someone. Depends on how safe your filesystem setup is and whether it's easier to break in to get at the ldapi socket than it is to just attack slapd. I forgot: You could forge ldapi: credentials in early OpenLDAP versions, depending on whether the OS provided a safe way to pass user credentials or not. There's some hack in place now for OSes which don't, but I seem to remember I never felt all that trustful of it. -- Hallvard
Re: Increase default olcLocalSSF to 128
On 26. juli 2018 09:04, Dieter Klünter wrote: Am Thu, 26 Jul 2018 08:19:34 +0200 schrieb Michael Ströder : On 07/26/2018 04:47 AM, Ryan Tandy wrote: I propose increasing the default olcLocalSSF to 128. Mentioned initially on IRC, now bringing it to the list for completeness and archival. In typical setups people want to require TLS *or* ldapi, and ssf=128 seems like a pretty common olcSecurity setting for current systems. +1 I'd rather leave it alone. I prefer to leave it alone, except maybe clarify the doc. Currenlty if you want ldapi Bind and you have set ssf, you probably set it high so must also set localssf. If we pick some higher default, then some people who set ssf must also set localssf, others need not. I were implementing a new LDAP server, I'd pick a higher default. But I'd rather not weaken security defaults in existing software. But why not choosing an even higher value like 256? Indeed. However, any particular value will be wrong for someone. Depends on how safe your filesystem setup is and whether it's easier to break in to get at the ldapi socket than it is to just attack slapd. I really wonder why it was set to 71. As Kurt mentioned on 1st. LDAPCon in Cologne, it is higher value than 56 and less than 128. I.e. between DES (56) and "RC4, Blowfish and other modern strong ciphers" (128) described for olcSaslSecProps minssf in man slapd-config. Also lower than triple DES (112). Maybe a number of people should update their "pretty common olcSecurity setting" of 128:-) I don't know the values for more modern ciphers. -- Hallvard
Re: Increase default olcLocalSSF to 128
On 07/26/2018 09:04 AM, Dieter Klünter wrote: Am Thu, 26 Jul 2018 08:19:34 +0200 schrieb Michael Ströder : But why not choosing an even higher value like 256? I really wonder why it was set to 71. As Kurt mentioned on 1st. LDAPCon in Cologne, it is higher value than 56 and less than 128. But why? What's the technical reason for it? Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: Increase default olcLocalSSF to 128
Am Thu, 26 Jul 2018 08:19:34 +0200 schrieb Michael Ströder : > On 07/26/2018 04:47 AM, Ryan Tandy wrote: > > I propose increasing the default olcLocalSSF to 128. Mentioned > > initially on IRC, now bringing it to the list for completeness and > > archival. > > > > In typical setups people want to require TLS *or* ldapi, and > > ssf=128 seems like a pretty common olcSecurity setting for current > > systems. > > +1 > > But why not choosing an even higher value like 256? > I really wonder why it was set to 71. As Kurt mentioned on 1st. LDAPCon in Cologne, it is higher value than 56 and less than 128. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Re: Increase default olcLocalSSF to 128
On 07/26/2018 04:47 AM, Ryan Tandy wrote: I propose increasing the default olcLocalSSF to 128. Mentioned initially on IRC, now bringing it to the list for completeness and archival. In typical setups people want to require TLS *or* ldapi, and ssf=128 seems like a pretty common olcSecurity setting for current systems. +1 But why not choosing an even higher value like 256? I really wonder why it was set to 71. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature