[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Heimdal/OpenLDAP/Samba howto and bugreport

To: "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.Org>, "'Love'" <lha@stacken.kth.se>
Subject: RE: Heimdal/OpenLDAP/Samba howto and bugreport
From: "Howard Chu" <hyc@highlandsun.com>
Date: Mon, 31 May 2004 12:22:37 -0700
Cc: <tarjei@nu.no>, <heimdal-discuss@sics.se>
Importance: Normal
In-Reply-To: <6.0.1.1.0.20040531103628.02ca2bf8@127.0.0.1>
Sender: owner-heimdal-discuss@sics.se

> -----Original Message-----
> From: owner-heimdal-discuss@sics.se
> [mailto:owner-heimdal-discuss@sics.se]On Behalf Of Kurt D. Zeilenga

> Regarding commenting out sasl-secprops minssf=128, it might
> be better to instead lower the minssf to 70.  The base SSF of
> ldapi:// is currently 71.  We figured that use of ldapi:// was better
> than weak encryption (<65) but not as good as stronger
> encryption (>95), hence the 71.  The ldapi:// SSF should really
> be a configurable option.  I'll add that to our TODO list.

No, that won't work. The minssf here is used to select eligible SASL
mechanisms to offer to the client, and SASL/EXTERNAL always has an SSF of
zero as far as the SASL library is concerned. The SSF that ldapi provides is
transport-level, and SASL has no knowledge of it during mech selection.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- Re: Heimdal/OpenLDAP/Samba howto and bugreport
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>

Prev by Date: Re: Heimdal/OpenLDAP/Samba howto and bugreport
Next by Date: Re: Heimdal/OpenLDAP/Samba howto and bugreport
Prev by thread: Re: Heimdal/OpenLDAP/Samba howto and bugreport
Next by thread: Heimdal KDC & change password for windows 2000 client
Index(es):
- Date
- Thread