[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5195) ssf not available during sasl bind
I have now tried:
security tls=128 sasl=128
It didn't work. All the commands below work without
the 'security' option.
ldapsearch -x -ZZ -D "uid=openldap,dc=auth,dc=lubemobile,dc=com,dc=au" -w "$(ssu cat /etc/libnss-ldap.secret)" -b "dc=pwd,dc=lubemobile,dc=com,dc=au" "(uid=it)"
ldap_bind: Confidentiality required (13)
additional info: SASL confidentiality required
Which, when I think about it may be reasonable. I am
apparently saying I require a sasl ssf of 128, and
obviously I don't have that. This was a surprise
though:
ldapsearch -ZZ -U "openldap" -b "dc=pwd,dc=lubemobile,dc=com,dc=au" "(uid=it)"
ldap_sasl_interactive_bind_s: Confidentiality required (13)
additional info: SASL confidentiality required
Is that a bug?
Anyway, bugs aside, assuming I now have some idea how it
works its useless for my application. I want to insist
that userPassword to be encrypted when sent and received,
be that via CRAM-MD5 or friends or by using TLS, but clear
text is fine for the rest of the information in the ldap
database, and in fact anonymous connections unencrypted
connections are the rule for VPN access. The 'security'
option applies to all connections.
Anyway, to state the problem as clearly as I can, I can't
see how to do the following combination of things:
. Allow anonymous access over unencrypted connections
for the bulk of the database.
. Allow simple binds, but they must be over encrypted
connections to protect userPassword.
. Allow sasl binds over unencrypted connections, but
the must not use clear text.
. Not particularly relevant to me, but it would be
nice to allow sasl binds using clear text if they
are over an encrypted connection.
The patch does this of course, but if there is some other
way then the patch is irrelevant, except perhaps from a
usability point of view.