Re: minssf more then 56

[Howard Chu <hyc@symas.com>]

Hai Zaar wrote:
> Dear, list!
>
> I'm using OpenLDAP with SASL GSSAPI.
>
> If I leave minssf to be 56, all works smoothly, but when trying to set
> minssf to something more then 56, for example 112, 128 or 256, I get
> the following error:
>
> ldapsearch -d 1  -Y  GSSAPI  -b "uid=foo,ou=people,dc=example,dc=com" -s 
> base
>   ldap_create
>   ldap_sasl_interactive_bind_s: user selected: GSSAPI
>   ldap_int_sasl_bind: GSSAPI
>   ldap_new_connection 1 1 0
>   ldap_int_open_connection
>   ldap_connect_to_host: TCP directory.example.con:389
>   ldap_new_socket: 3
>   ldap_prepare_socket: 3
>   ldap_connect_to_host: Trying 10.0.0.10:389
>   ldap_connect_timeout: fd: 3 tm: -1 async: 0
>   ldap_int_sasl_open: host=direcotry.example.com
>   ldap_perror
>   ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>           additional info: SASL(-4): no mechanism available: No
> worthy mechs found
>
> This is kind of strange, since Ethereal shows that even with minssf=56
> all of kerberos traffic is
> encrypted with aes256-cts-hmac-sha1-96.
The Cyrus SASL GSSAPI module currently doesn't know how to report the 
actual SSF in effect. It is hardcoded to report 56. Some versions assume 
that triple-DES is available and report 112, depending on the Kerberos 
library you compiled with. Anyway, this is not a limitation in OpenLDAP, 
it's a bug in Cyrus SASL.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/