Am Wed, 29 Dec 2010 16:50:17 +0000 schrieb Brian Candler <[email protected]>:
> On Wed, Dec 29, 2010 at 07:57:43AM +0100, Dieter Kluenter wrote: > > The default ssf of ldapi is 71, but you may change localSSF in > > slapd.conf(5). > > [...] > > Thank you, that is very clear. > > Having changed that, I can use EXTERNAL with minssf=112, but not > GSSAPI. I find that if I set minssf=56 it's fine, but at minssf=57 > it isn't. > > It looks like this is a fundamental limitation of the GSSAPI: > http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2006-September/000628.html > http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2006-September/000635.html > > FYI, here's what I see with minssf=57 (the 'No such attribute' error > is somewhat confusing) > > r...@noc:~# ldapsearch > ldap_sasl_interactive_bind_s: No such attribute (16) > r...@noc:~# ldapsearch -Y GSSAPI > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Inappropriate authentication (48) > additional info: SASL(-15): mechanism too weak for this user: > mech GSSAPI is too weak That is because Kerberos DES, und thus GSSAPI, only has a security strength factor of 56. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
