[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sasl-secprops' minssf not setting SASL SSF correctly

--On Tuesday, September 09, 2008 6:14 AM -0700 PGNet <pgnet.trash@gmail.com> wrote:

Re-read what the slap.conf(5) man page says.

That's unhelpful. It's of course, already been read.

man slapd.conf
minssf=<factor>  property  specifies the minimum acceptable security
strength factor
maxssf=<factor>  property  specifies the maximum acceptable security
strength factor

Reads to me like "SASL SSF" is set by min/maxssf. It certainly affects it.
Unfortuntely, in a manner that's confusing.

If have some helpful clarification, please state it.

No where does it say there that it sets the minimum SSF of connections. It says it specifies the minimum or maximum acceptable SSF. I.e., if you set the minimum SSF to 128, and an incoming connection only uses 56, then XYZ won't be usable.

I've generally used this type of restriction more with ACLs, such as:

by dn.base="cn=xyz,dc=example,dc=com" sasl_ssf=56 read

because some things (java, for example) default the SSF to 0.



Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration