[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sasl-secprops' minssf not setting SASL SSF correctly

> No where does it say there that it sets the minimum SSF of connections.

Stating what it doesn't say is unhelpful.

My question is posed because of my misunderstanding of what is does say.

> It
> says it specifies the minimum or maximum acceptable SSF.  I.e., if you set
> the minimum SSF to 128, and an incoming connection only uses 56, then XYZ
> won't be usable.

The distinction between "minimum SSF" and "minimum acceptable SSF" is
somewhat non-obvious, and still lost on me.

> I've generally used this type of restriction more with ACLs, such as:
> by dn.base="cn=xyz,dc=example,dc=com" sasl_ssf=56 read

There's no mention of 'sasl_ssf' in 'man slapd.conf'; Rather, only in
'man slapd.access'.

Where, it states:

  sasl_ssf=<n> set the minimum required Security Strength
         Factor (ssf) needed to grant access

On the 'man slapd.conf' page,

  minssf=<factor> property specifies the minimum acceptable security
strength factor as an integer approximate to effective key length used
for encryption

Again, the difference is completely unclear.  Perhaps someone else
might take a helpful stab at clarifying the diff?

In the context of my originally posted question, rephrased:

Why does *addition* of "maxssf=256" (the maximum  acceptable  security
strength factor) to "sasl-secprops ..." cause the 'SASL SSF' reported
"ldapwhoami -ZZ" to change from

   SASL SSF: 56 --> SASL SSF: 0