[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5195) ssf not available during sasl bind

quanah@zimbra.com wrote:
> --On Monday, October 29, 2007 5:08 PM +0000 h.b.furuseth@usit.uio.no wrote:
>> Also, repeating an old point, remember that the "security" keyword
>> produces better error messages ("Confidentiality required") than
>> "access ... ssf=..." ("Insufficient access" for updates, "Invalid
>> credentials" for Bind).  With the latter, the user likely thinks
>> he mistyped the password and sends it again unencrypted.

> The problem with the security directive that the user ran into, however, I
> don't see a way to get around.  Which is there is no "OR" support.  I.e.,
> you can't say, I want the user to have a TLS of 128 OR SASL SSF of 128.  If
> you specify both, both are required.

You really need to read more carefully. If you only care about the overall 
SSF, regardless of whether it's from TLS or SASL, then just use the "ssf" factor.
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/