[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8708) SASL EXTERNAL binds and sasl-secprops minssf

To: openldap-its@OpenLDAP.org
Subject: (ITS#8708) SASL EXTERNAL binds and sasl-secprops minssf
From: dhawes@gmail.com
Date: Tue, 08 Aug 2017 18:08:27 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: David Hawes
Version: 2.4.45
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2001:468:c80:2103:0:523:da5e:da5e)


With ITS #8568 [1], I notice that the first SASL EXTERNAL (using TLS
client auth) bind on a connection succeeds, but subsequent SASL
EXTERNAL binds on the same connection fail with:

slapd[31088]: conn=1009 op=3 RESULT tag=97 err=48 text=SASL(-15):
mechanism too weak for this user: mech EXTERNAL is too weak

when:

sasl-secprops minssf=128

In previous OpenLDAP versions, both the initial and subsequent SASL
EXTERNAL binds succeed due to the bug in #8568.

This was a misconfiguration on my part (I should have kept the default
of 0), but I wonder if the initial SASL bind should also fail. It
seems to succeed because tls_ssf is used in connection.c:

slap_sasl_external( c, c->c_tls_ssf, &authid );


[1] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8568;selectid=8568

Prev by Date: Re: (ITS#8707) slapd: Add systemd service notification support
Next by Date: Re: (ITS#8707) slapd: Add systemd service notification support
Index(es):
- Chronological
- Thread