[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5195) ssf not available during sasl bind

--On Friday, October 26, 2007 9:47 AM +0000 russell-openldap@stuart.id.au 

> I have now tried:
>   security tls=128 sasl=128
> It didn't work.  All the commands below work without
> the 'security' option.

This says: Require a TLS section of 128 bit security AND SASL security of 

>   ldapsearch -x -ZZ -D "uid=openldap,dc=auth,dc=lubemobile,dc=com,dc=au"
> -w "$(ssu cat /etc/libnss-ldap.secret)" -b
> "dc=pwd,dc=lubemobile,dc=com,dc=au" "(uid=it)"   ldap_bind:

You aren't using SASL here.  So of course it fails.

> Which, when I think about it may be reasonable.  I am
> apparently saying I require a sasl ssf of 128, and
> obviously I don't have that.  This was a surprise
> though:


>   ldapsearch -ZZ -U "openldap" -b "dc=pwd,dc=lubemobile,dc=com,dc=au"
> "(uid=it)"   ldap_sasl_interactive_bind_s: Confidentiality required (13)
>         additional info: SASL confidentiality required
> Is that a bug?

I suggest reading the part on sasl-secprops in the slapd.conf (5) man page. 
It notes that the default is to setting is to block anonymous and plain 
SASL binds.

> Anyway, bugs aside, assuming I now have some idea how it
> works its useless for my application.  I want to insist
> that userPassword to be encrypted when sent and received,
> be that via CRAM-MD5 or friends or by using TLS, but clear
> text is fine for the rest of the information in the ldap
> database, and in fact anonymous connections unencrypted
> connections are the rule for VPN access.  The 'security'
> option applies to all connections.

access to userPassword
	by users read sasl_ssf=128 break
	by users read tls=128

I think might do it.

> Anyway, to state the problem as clearly as I can, I can't
> see how to do the following combination of things:
>   . Allow anonymous access over unencrypted connections
>     for the bulk of the database.

Above acl followed by

access to *
	by * read

(or however else limited).

>   . Allow simple binds, but they must be over encrypted
>     connections to protect userPassword.

See above ACL.

>   . Allow sasl binds over unencrypted connections, but
>     the must not use clear text.

Read the sasl-secprops setting.



Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration