[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: security ssf and gssapi auto selection

To: Mivz <mivz@alpha.spugium.net>
Subject: Re: security ssf and gssapi auto selection
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 08 Mar 2006 09:50:42 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <440EC8B0.1050300@alpha.spugium.net>
References: <440EC8B0.1050300@alpha.spugium.net>

At 04:06 AM 3/8/2006, Mivz wrote:
>Hello,
>I have configured my ldap server to use GSSAPI.
>If I do not use the security ssf statement in my slapd.conf, it auto selects GSSAPI authentication:
>
>ldapsearch
>SASL/GSSAPI authentication started
>SASL username: me@FQDN
>SASL SSF: 56
>SASL installing layers
># extended LDIF
>#
># LDAPv3
># base <> with scope sub
># filter: (objectclass=*)
># requesting: gssapi
>#
>
>But when I enable the security ssf statement:
>security ssf=56 update_ssf=112 simple_bind=56
>
>It reply's:
>ldapsearch
>ldap_sasl_interactive_bind_s: Confidentiality required (13)
>       additional info: confidentiality required
>
>And I have to specify -Y gssapi whit my ldapsearch and then it works as before.
>The exual result is the same.
>Wy is it that it won't auto select GSSAPI when confidentiality is required? It does not even try.
>And, of course, how can this be solved?

ssf=56 disallows the unprotected search used in auto selection
of the SASL mechanism.  You might look at replacing ssf=56
with ACLs that restrict unprotected search to just the
attributes of the root DSE required for auto-selection
or just not relying on auto-selection.  There are various
other restrictions you might experiment with, in particular
those of the 'require' slapd.conf(5) directive.

Kurt

References:
- security ssf and gssapi auto selection
  - From: Mivz <mivz@alpha.spugium.net>

Prev by Date: RE: Database cannot be opened
Next by Date: Re: openldap bench / stress free tools
Index(es):
- Chronological
- Thread