[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5195) ssf not available during sasl bind

russell-openldap@stuart.id.au wrote:
> On Mon, 2007-10-29 at 18:07 +0100, Hallvard B Furuseth wrote:
>> No, you've forced users who authenticate against userPassword
>> to be encrypted.  Not all SASL methods, nor auth with rootpw.
> Thats a worry.  Rootpw aside, the intended objective of
> the ACL was to ensure passwords were never sent in the
> clear.  Either a protocol like CRAM-MD5 was used, or the
> entire link is encrypted.

By the way, CRAM-MD5 has a few known weaknesses. Should use DIGEST-MD5 
instead. http://www.ietf.org/rfc/rfc2831.txt (For what that's worth. Given 
that methods exist to create MD5 collisions, it's not clear how much longer 
DIGEST-MD5 will be useful.)

> Does it not do that?  (Actually
> it doesn't.  It should have been sasl_ssf=71.  But bugs
> aside ...)
> Secondly, just out of curiosity, are there SASL methods
> that check a shared secret of some kind and don't use
> userPassword?  What are they?
> The "security" option may produce better error messages
> by it appears to apply to all connections, including
> lookups done by SASL to dn="" to discover what mechanisms
> are allowed.  It wasn't at all obvious to a newbie like me
> that this sentence from "man 1 ldapsearch" only applies
> if you don't use the "security" option:
>   "-Y mech .... If it's not  specified, the program will
>   choose the best mechanism the server knows."

Perhaps we should add a security option to separately specify the SSF for 
anonymous sessions.
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/