[Date Prev][Date Next] [Chronological] [Thread] [Top]

sasl-secprops' minssf not setting SASL SSF correctly

In 'man slapd.conf',

       sasl-secprops <properties>
          ... minssf=<factor... The default is  0.

If I set values in /etc/openldap/slapd.conf, and test security layer strength,

(1) sasl-secprops noanonymous,noplain,noactive

       ldapwhoami -ZZ
               SASL SSF: 56

(2) sasl-secprops noanonymous,noplain,noactive,minssf=128

       ldapwhoami -ZZ
               SASL SSF: 56

(3) sasl-secprops noanonymous,noplain,noactive,minssf=128,maxssf=256

       ldapwhoami -ZZ
               SASL SSF: 0

I'd expected for the 3 cases,

       (1) SASL SSF: 0   <- default
       (2) SASL SSF: 128 <- set by minssf
       (3) SASL SSF: 128 <- set by minssf

Am I correct in my understanding that "SASL SSF" is supposed to track
with the sasl-secprops properties?

If yes, is there more config required? A bug, maybe?

If no, how do I correctcly set/verify SASL SSF strength?



I fell across a 2-year old, seemingly-relevant post:


 "The Cyrus SASL GSSAPI module currently doesn't know how to report
the actual SSF in effect. It is hardcoded to report 56. Some versions
assume that triple-DES is available and report 112, depending on the
Kerberos library you compiled with. Anyway, this is not a limitation
in OpenLDAP, it's a bug in Cyrus SASL."

Could what I'm seeing be the result of this as yet (still) unresolved bug?