[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5195) ssf not available during sasl bind

On Fri, 2007-10-26 at 19:59 -0700, Quanah Gibson-Mount wrote:
> >   ldapsearch -ZZ -U "openldap" -b "dc=pwd,dc=lubemobile,dc=com,dc=au"
> > "(uid=it)"   ldap_sasl_interactive_bind_s: Confidentiality required (13)
> >         additional info: SASL confidentiality required
> >
> > Is that a bug?
> I suggest reading the part on sasl-secprops in the slapd.conf (5) man page. 
> It notes that the default is to setting is to block anonymous and plain 
> SASL binds.

I suspect you are right in that is the cause of the
problem because a -Y DIGEST-MD5 fixes it.  But, as
I said, it worked before the security option was
added.  It worked because DIGEST-MD5 was the default.
So why isn't it the default now?

Now that you have pointed it out, I guess that the 
addition of the 'security'  option prevented SASL 
from searching dn="" for the types of authentications 

> access to userPassword
> 	by users read sasl_ssf=128 break
> 	by users read tls=128
> I think might do it.

You would think that would do it - certainly I did.  But
you would be wrong.  Currently it doesn't, and that is
what this ITS is about.  The patch I supplied with the
initial bug report changes things so it does work.