[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: minssf more then 56

Hai Zaar wrote:
Dear, list!

I'm using OpenLDAP with SASL GSSAPI.

If I leave minssf to be 56, all works smoothly, but when trying to set
minssf to something more then 56, for example 112, 128 or 256, I get
the following error:

ldapsearch -d 1 -Y GSSAPI -b "uid=foo,ou=people,dc=example,dc=com" -s base
ldap_sasl_interactive_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP directory.example.con:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=direcotry.example.com
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available: No
worthy mechs found

This is kind of strange, since Ethereal shows that even with minssf=56
all of kerberos traffic is
encrypted with aes256-cts-hmac-sha1-96.

The Cyrus SASL GSSAPI module currently doesn't know how to report the actual SSF in effect. It is hardcoded to report 56. Some versions assume that triple-DES is available and report 112, depending on the Kerberos library you compiled with. Anyway, this is not a limitation in OpenLDAP, it's a bug in Cyrus SASL.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/