Re: sasl-secprops' minssf not setting SASL SSF correctly

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Tuesday, September 09, 2008 6:14 AM -0700 PGNet 
<pgnet.trash@gmail.com> wrote:

> > Re-read what the slap.conf(5) man page says.
>
> That's unhelpful.  It's of course, already been read.
>
> man slapd.conf
> ...
> minssf=<factor>  property  specifies the minimum acceptable security
> strength factor
> ...
> maxssf=<factor>  property  specifies the maximum acceptable security
> strength factor
> ...
>
> Reads to me like "SASL SSF" is set by min/maxssf. It certainly affects it.
> Unfortuntely, in a manner that's confusing.
>
> If have some helpful clarification, please state it.

No where does it say there that it sets the minimum SSF of connections.  It 
says it specifies the minimum or maximum acceptable SSF.  I.e., if you set 
the minimum SSF to 128, and an incoming connection only uses 56, then XYZ 
won't be usable.

I've generally used this type of restriction more with ACLs, such as:

by dn.base="cn=xyz,dc=example,dc=com" sasl_ssf=56 read

because some things (java, for example) default the SSF to 0.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration