[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Heimdal/OpenLDAP/Samba howto and bugreport

> -----Original Message-----
> From: owner-heimdal-discuss@sics.se
> [mailto:owner-heimdal-discuss@sics.se]On Behalf Of Kurt D. Zeilenga

> Regarding commenting out sasl-secprops minssf=128, it might
> be better to instead lower the minssf to 70.  The base SSF of
> ldapi:// is currently 71.  We figured that use of ldapi:// was better
> than weak encryption (<65) but not as good as stronger
> encryption (>95), hence the 71.  The ldapi:// SSF should really
> be a configurable option.  I'll add that to our TODO list.

No, that won't work. The minssf here is used to select eligible SASL
mechanisms to offer to the client, and SASL/EXTERNAL always has an SSF of
zero as far as the SASL library is concerned. The SSF that ldapi provides is
transport-level, and SASL has no knowledge of it during mech selection.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support