[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Enforce the user of Kerberos for password checking?

[Andreas B. Mundt]
> If I understand the mail correctly, it does not set the level needed,
> but it sort of defines/overwrites the level the connection has. 
> 
> To be accepted, we need to 'define' the local ldapi://
> connection to have a ssf of 128 at least. So try with "localSSF 128". 

Ah.  Right.  Then I had completely misunderstood.  I tested using
localssf 128, and the kdc was able to connect using ldapi://.

> As I said, not tested, but perhaps worth a try.

Absolutely.  Then we can drop the ldap-auth group idea for now.  But
we should really mae sure most users can't use LDAP bind to
authenticate, and enforce Kerberos authentication instead.

Putting the list back on the recipient list, to let them know about
this.

This should solve at least some of the detected errors in the current
installation. :)

Happy hacking,
-- 
Petter Reinholdtsen
Reply to: