[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL EXTERNAL binds and sasl-secprops minssf > 0

To: David Hawes <dhawes@gmail.com>, openldap-technical@openldap.org
Subject: Re: SASL EXTERNAL binds and sasl-secprops minssf > 0
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Mon, 07 Aug 2017 08:37:34 -0700
Content-disposition: inline
In-reply-to: <WM!559a86d85993fe69e7d15f9228f5b49582f8c1fdf6ddc4c60e428b369110f4b55a6fea0385f3623727230fc157acc226!@mailstronghold-2.zmailcloud.com>
References: <CACaXs1tiVWuLP-FtrACP9iJB0ExKRoHNy-ptq8321ZZi_omyAg@mail.gmail.com> <WM!559a86d85993fe69e7d15f9228f5b49582f8c1fdf6ddc4c60e428b369110f4b55a6fea03 85f3623727230fc157acc226!@mailstronghold-2.zmailcloud.com>

--On Saturday, August 05, 2017 3:05 PM -0400 David Hawes <dhawes@gmail.com>wrote:

With ITS #8568 [1], I notice that the first SASL EXTERNAL (using TLS
client auth) bind on a connection succeeds, but subsequent SASL
EXTERNAL binds on the same connection fail with:

slapd[31088]: conn=1009 op=3 RESULT tag=97 err=48 text=SASL(-15):
mechanism too weak for this user: mech EXTERNAL is too weak

Please file an ITS for this, thanks. I would think the expected behaviorfor SASL/EXTERNAL is the SASL SSF matches the TLS SSF, given it's a TLSencrypted connection.


--Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Follow-Ups:
- Re: SASL EXTERNAL binds and sasl-secprops minssf > 0
  - From: Michael Ströder <michael@stroeder.com>

References:
- SASL EXTERNAL binds and sasl-secprops minssf > 0
  - From: David Hawes <dhawes@gmail.com>

Prev by Date: Re: Openldap Configuration issues
Next by Date: ppolicy issues
Index(es):
- Chronological
- Thread