[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ssf settings for SASL and TLS

That did the trick. Thanks for pointing out that I also need to use SASL with TLS. I don't know why, but for some reason I was keeping the two separate in my mind.

On 02/20/2016 07:59 PM, Quanah Gibson-Mount wrote:

--On Saturday, February 20, 2016 7:28 PM -0700 Joshua Schaeffer <jschaeffer0922@gmail.com> wrote:



Yes I surmised as much. But how do I tell slapd that when I do a simple
auth use the tls settings and when I do an SASL auth to use sasl
settings. Can you point me to the man pages that explains this.


Set this correctly:
       olcSaslSecProps: <properties>
              Used  to  specify Cyrus SASL security properties.  The none flag
              (without  any  other  properties)  causes  the  flag properties
              default, "noanonymous,noplain", to be cleared.  The noplain flag
              disables mechanisms susceptible to simple passive attacks. The
              noactive flag disables mechanisms susceptible to active attacks.
              The nodict  flag  disables  mechanisms  susceptible  to passive
              dictionary  attacks.   The  noanonymous flag disables mechanisms
              which support anonymous  login.   The  forwardsec  flag require
              forward   secrecy   between   sessions.   The  passcred require
              mechanisms which pass client credentials (and  allow mechanisms
              which  can  pass  credentials  to  do  so).  The minssf=<factor>
              property specifies  the  minimum  acceptable  security strength
Set this correctly:
       olcSaslSecProps: <properties>
              Used  to  specify Cyrus SASL security properties.  The none flag
              (without  any  other  properties)  causes  the  flag properties
              default, "noanonymous,noplain", to be cleared.  The noplain flag
              disables mechanisms susceptible to simple passive attacks. The
              noactive flag disables mechanisms susceptible to active attacks.
              The nodict  flag  disables  mechanisms  susceptible  to passive
              dictionary  attacks.   The  noanonymous flag disables mechanisms
              which support anonymous  login.   The  forwardsec  flag require
              forward   secrecy   between   sessions.   The  passcred require
              mechanisms which pass client credentials (and  allow mechanisms
              which  can  pass  credentials  to  do  so).  The minssf=<factor>
              property specifies  the  minimum  acceptable  security strength
              factor  as  an  integer approximate to effective key length used
              for encryption.  0  (zero)  implies  no  protection,  1 implies
              integrity  protection only, 56 allows DES or other weak ciphers,
              112 allows triple DES and other strong ciphers, 128 allows RC4,
              Blowfish  and  other  modern  strong ciphers.  The default is 0.
              The maxssf=<factor> property specifies  the  maximum acceptable
              security strength factor as an integer (see minssf description).
              The  default  is  INT_MAX.    The   maxbufsize=<size> property
              specifies   the  maximum  security  layer  receive  buffer size
              allowed.  0 disables security layers.  The default is 65536.

Then only set the tls SSF in olcSecurity (drop the SASL SSF).  Make sure your SASL binds *also* use TLS.  Then you're covered.

--Quanah



--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------