[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5195) ssf not available during sasl bind



quanah@zimbra.com writes:
> access to userPassword
> 	by anonymous auth sasl_ssf=128 break
> 	by anonymous auth tls=128
> 	by self read
>
> (At this point, you've forced any user to be encrypted,

No, you've forced users who authenticate against userPassword
to be encrypted.  Not all SASL methods, nor auth with rootpw.

Also, repeating an old point, remember that the "security" keyword
produces better error messages ("Confidentiality required") than
"access ... ssf=..." ("Insufficient access" for updates, "Invalid
credentials" for Bind).  With the latter, the user likely thinks
he mistyped the password and sends it again unencrypted.

Come to think of it, I guess I should insert that in the slapd.access(5)
manpage.

> so no need to duplicate the requirements on the read access).

-- 
Regards,
Hallvard