[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ssf settings for SASL and TLS

To: Dieter Klünter <dieter@dkluenter.de>, openldap-technical@openldap.org
Subject: Re: ssf settings for SASL and TLS
From: Joshua Schaeffer <jschaeffer0922@gmail.com>
Date: Thu, 18 Feb 2016 22:20:16 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=CWZSLmG59FGSRN8In09n9lVyFDGqjS94I69qicye7Ec=; b=rqG7Sc43n8NBBwSm495Z3fyW8M9oX2Wd5H/+VO9JAivNryWhD5rGpvV+G6qi4WyPnS 6yyl4S5daCwHg5vk/XuuYscB0tdwsGjzU7xBSZ5gxlKm6XJrhNhc5x8Nlnblsnvf0Asr qn1dXBO9mlvlkXHn6qpljgTj18NAOBr9Ynuw5FbrHWzJ+O6hL0ylPSQzgZJuJjMhXBUi PefNBdvfZXHxsQw24fQqJ8HUTWY6QqYsINCMjgTMhyqH7aaXRCIu7HueTDfseqw29L1/ m2baRCFdvdsCXbqSMsIhJsmVrlL+RPFO1HscZ9GCQ117JuW4Gx5GV+DgDwdNzyBHPhK1 LUXA==
In-reply-to: <20160218111940.27f59ba7@pink.avci.de>
References: <56C539C4.80200@gmail.com> <20160218111940.27f59ba7@pink.avci.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1

On 02/18/2016 03:19 AM, Dieter Klünter wrote:

Am Wed, 17 Feb 2016 20:25:56 -0700
schrieb Joshua Schaeffer <jschaeffer0922@gmail.com>:

What is the proper way to setup SASL and TLS with different security
strength factors? I've setup SASL on my OpenLDAP server so that it
can connect to my Kerberos server using GSSAPI. I also have TLS setup
for simple auth. My database config is below:

[...]

olcSecurity: sasl=56 simple_bind=256 ssf=256


ssf=x specifies the overall security, a value '1' enables security.
This setting would meet your requirements:
olcSecurity: ssf=1 sasl=56 tls=256


-Dieter


I updated olcSecurity and now I get the following when using simple auth:

root@immortal:/var/log/kerberos# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com -W -H ldap://baneling.harmonywave.com/????starttls -b dc=harmonywave,dc=com
Enter LDAP Password:
ldap_bind: Confidentiality required (13)
	additional info: SASL confidentiality required

I see this in the logs:

Feb 18 22:19:04 baneling slapd[22171]: conn=1005 fd=15 ACCEPT from IP=10.1.10.12:55750 (IP=0.0.0.0:389)
Feb 18 22:19:04 baneling slapd[22171]: conn=1005 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Feb 18 22:19:04 baneling slapd[22171]: conn=1005 op=0 STARTTLS
Feb 18 22:19:04 baneling slapd[22171]: conn=1005 op=0 RESULT oid= err=0 text=
Feb 18 22:19:04 baneling slapd[22171]: conn=1005 fd=15 TLS established tls_ssf=256 ssf=256
Feb 18 22:19:08 baneling slapd[22171]: conn=1005 op=1 BIND dn="cn=admin,dc=harmonywave,dc=com" method=128
Feb 18 22:19:08 baneling slapd[22171]: conn=1005 op=1 RESULT tag=97 err=13 text=SASL confidentiality required
Feb 18 22:19:08 baneling slapd[22171]: conn=1005 op=2 UNBIND
Feb 18 22:19:08 baneling slapd[22171]: conn=1005 fd=15 closed

Follow-Ups:
- Re: ssf settings for SASL and TLS
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: ssf settings for SASL and TLS
  - From: Michael Ströder <michael@stroeder.com>

References:
- ssf settings for SASL and TLS
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>
- Re: ssf settings for SASL and TLS
  - From: Dieter Klünter <dieter@dkluenter.de>

Prev by Date: can find slapd.conf fine in /etc/openldap under Centos7
Next by Date: Re: ssf settings for SASL and TLS
Index(es):
- Chronological
- Thread