9.2. Setting a Minimum Strength Factor
nsslapd-minssfconfiguration attribute. When enforcing a minimum SSF, Directory Server looks at each available encryption type for an operation — TLS or SASL — and determines which has the higher SSF value and then compares the higher value to the minimum SSF. It is possible for both SASL authentication and TLS to be configured for some server-to-server connections, such as replication.
nsslapd-minssf-exclude-rootdseconfiguration attribute. This sets a minimum SSF setting for all connections to the Directory Server except for queries against the root DSE. A client may need to obtain information about the server configuration, like its default naming context, before initiating an operation. The
nsslapd-minssf-exclude-rootdseattribute allows the client to get that information without having to establish a secure connection first.
STARTTLSand SASL binds to succeed, even though those two connections initially open a regular connection. After the TLS or SASL session is opened, then the SSF is evaluated. Any connection which does not meet the SSF requirements is closed with an LDAP unwilling to perform error.
nsslapd-minssfattribute value is 0, which means there is no minimum SSF for server connections. The value can be set to any reasonable positive integer. The value represents the required key strength for any secure connection.
# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-minssf=128 Successfully replaced "nsslapd-minssf"
nsslapd-require-secure-bindsattribute, as in Section 20.11.1, “Requiring Secure Binds”.