[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5195) ssf not available during sasl bind
--On Friday, October 26, 2007 9:47 AM +0000 russell-openldap@stuart.id.au
wrote:
> I have now tried:
>
> security tls=128 sasl=128
>
> It didn't work. All the commands below work without
> the 'security' option.
This says: Require a TLS section of 128 bit security AND SASL security of
128.
> ldapsearch -x -ZZ -D "uid=openldap,dc=auth,dc=lubemobile,dc=com,dc=au"
> -w "$(ssu cat /etc/libnss-ldap.secret)" -b
> "dc=pwd,dc=lubemobile,dc=com,dc=au" "(uid=it)" ldap_bind:
You aren't using SASL here. So of course it fails.
> Which, when I think about it may be reasonable. I am
> apparently saying I require a sasl ssf of 128, and
> obviously I don't have that. This was a surprise
> though:
Right.
> ldapsearch -ZZ -U "openldap" -b "dc=pwd,dc=lubemobile,dc=com,dc=au"
> "(uid=it)" ldap_sasl_interactive_bind_s: Confidentiality required (13)
> additional info: SASL confidentiality required
>
> Is that a bug?
I suggest reading the part on sasl-secprops in the slapd.conf (5) man page.
It notes that the default is to setting is to block anonymous and plain
SASL binds.
> Anyway, bugs aside, assuming I now have some idea how it
> works its useless for my application. I want to insist
> that userPassword to be encrypted when sent and received,
> be that via CRAM-MD5 or friends or by using TLS, but clear
> text is fine for the rest of the information in the ldap
> database, and in fact anonymous connections unencrypted
> connections are the rule for VPN access. The 'security'
> option applies to all connections.
access to userPassword
by users read sasl_ssf=128 break
by users read tls=128
I think might do it.
> Anyway, to state the problem as clearly as I can, I can't
> see how to do the following combination of things:
>
> . Allow anonymous access over unencrypted connections
> for the bulk of the database.
Above acl followed by
access to *
by * read
(or however else limited).
> . Allow simple binds, but they must be over encrypted
> connections to protect userPassword.
See above ACL.
> . Allow sasl binds over unencrypted connections, but
> the must not use clear text.
Read the sasl-secprops setting.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration