[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5195) ssf not available during sasl bind



russell-openldap@stuart.id.au wrote:
> In one sense you are correct: the userPassword read
> by slap_auxprop_lookup will never be revealed.  And
> so yes, the ssf for the results of that search would
> be infinity.
> 
> But what I want to check is the weakest link in the
> chain.  I can't imagine any instance when that isn't
> what you would want to check, so that is what the
> ssf should reflect.  By definition, the
> slap_auxprop_lookup can never be the weakest link.
> The weakest link in this case when sasl sent the
> password to slapd.  Really, what I want to say is if
> the password was sent in the clear, whether it be by
> sasl or simple auth, then the link must be encrypted.
> 
> The patch makes the information required to do that
> test available.

Using ACLs to enforce this requirement is the wrong approach though. You 
should just use the "security" directive instead. With your approach you're 
missing the fact that SASL may not have sent any password at all to slapd 
(e.g., when using DIGEST-MD5 or an OTP mechanism). As such, you're imposing a 
constraint that makes no sense.
-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/