On Thu, Jul 26, 2018 at 01:34:52PM +0200, Hallvard Breien Furuseth wrote:
I were implementing a new LDAP server, I'd pick a higher default.
But I'd rather not weaken security defaults in existing software.
In IRC, hbf went into a little more detail on what was meant by this: If
you have an exi
On 07/26/2018 01:38 PM, Hallvard Breien Furuseth wrote:
I wrote:
(...) any particular value will be wrong for someone.
Depends on how safe your filesystem setup is and whether it's easier
to break in to get at the ldapi socket than it is to just attack slapd.
You could forge ldapi: credentials
On 07/26/2018 01:34 PM, Hallvard Breien Furuseth wrote:
On 26. juli 2018 09:04, Dieter Klünter wrote:
Am Thu, 26 Jul 2018 08:19:34 +0200
schrieb Michael Ströder :
I really wonder why it was set to 71.
As Kurt mentioned on 1st. LDAPCon in Cologne, it is higher value than 56
and less than 128.
I wrote:
(...) any particular value will be wrong for someone.
Depends on how safe your filesystem setup is and whether it's easier
to break in to get at the ldapi socket than it is to just attack slapd.
I forgot:
You could forge ldapi: credentials in early OpenLDAP versions,
depending on whet
On 26. juli 2018 09:04, Dieter Klünter wrote:
Am Thu, 26 Jul 2018 08:19:34 +0200
schrieb Michael Ströder :
On 07/26/2018 04:47 AM, Ryan Tandy wrote:
I propose increasing the default olcLocalSSF to 128. Mentioned
initially on IRC, now bringing it to the list for completeness and
archival.
In t
On 07/26/2018 09:04 AM, Dieter Klünter wrote:
Am Thu, 26 Jul 2018 08:19:34 +0200
schrieb Michael Ströder :
But why not choosing an even higher value like 256?
I really wonder why it was set to 71.
As Kurt mentioned on 1st. LDAPCon in Cologne, it is higher value than 56
and less than 128.
But
Am Thu, 26 Jul 2018 08:19:34 +0200
schrieb Michael Ströder :
> On 07/26/2018 04:47 AM, Ryan Tandy wrote:
> > I propose increasing the default olcLocalSSF to 128. Mentioned
> > initially on IRC, now bringing it to the list for completeness and
> > archival.
> >
> > In typical setups people want to
On 07/26/2018 04:47 AM, Ryan Tandy wrote:
I propose increasing the default olcLocalSSF to 128. Mentioned initially
on IRC, now bringing it to the list for completeness and archival.
In typical setups people want to require TLS *or* ldapi, and ssf=128
seems like a pretty common olcSecurity sett
I propose increasing the default olcLocalSSF to 128. Mentioned initially
on IRC, now bringing it to the list for completeness and archival.
In typical setups people want to require TLS *or* ldapi, and ssf=128
seems like a pretty common olcSecurity setting for current systems.
thanks
Ryan
