[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ssf settings for SASL and TLS
- To: openldap-technical@openldap.org
- Subject: ssf settings for SASL and TLS
- From: Joshua Schaeffer <jschaeffer0922@gmail.com>
- Date: Wed, 17 Feb 2016 20:25:56 -0700
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-type:content-transfer-encoding; bh=k35vzcvU4i34YUxTfvqvj2q0DyCjYhYAoT0Hv2DXgjk=; b=sw8Xl7Xk/sNK2fbCbxDVh8DxPI+OqxLxiXSkRpDhPVPAkXosa4blgaN/z99usLp8W2 Q8P8klXmmEnNNwfKe8hduAnRbezcmje2E9I28CT5bcnrMDchS+xIwGXt+uScjYVN+O3l cyJoiE5xgGzXwVz9FF35w1F2Lbt80I6AUV7wqv1G7CgR9eSy3WUNQoSZO4WyyIkS3/hS TN/MfCkX64GZlLJCynUKl47Ueena1uG82BTBMfqE73pn3L8/CMPqL9Dyt9IQ1FFbjICV dziqFBpxFtxbOL/6cyPIraXpOczznqGokKW5vMuUbDh/KyVEB5ApjPDdA2Cd8tsJoleA 7VdA==
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
What is the proper way to setup SASL and TLS with different security strength factors? I've setup SASL on my OpenLDAP server so that it can connect to my Kerberos server using GSSAPI. I also have TLS setup for simple auth. My database config is below:
root@baneling:~/ldif_files# slapcat -H "ldap:///olcDatabase={1}mdb,cn=config??base?";
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=harmonywave,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange,krbPrincipalKey by self
write by anonymous auth by dn="cn=admin,dc=harmonywave,dc=com" write by *
none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=harmonywave,dc=com
olcRootPW:: e1NTSEF9dUhDcE1jUUJoWlpuc0twRHBNQkVCUGtmTFA5SC9EYUU=
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbIndex: sudoUser eq
olcDbIndex: krbPrincipalName eq,pres,sub
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: caa04334-6857-1035-9fbb-dd6671002504
creatorsName: cn=admin,cn=config
createTimestamp: 20160215174631Z
olcSecurity: sasl=56 simple_bind=256 ssf=256
entryCSN: 20160218030327.503814Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20160218030327Z
When I set the security to "olcSecurity: sasl=56 simple_bind=256" then I can bind with SASL or simple auth. However if I set ssf=256 (or really anything higher then 56), like in the above configuration, I get an error when trying to bind with SASL:
root@baneling:~/ldif_files# ldapsearch -LLL -Y GSSAPI -H ldapi:/// -b dc=harmonywave,dc=com -s base
SASL/GSSAPI authentication started
SASL username: jschaeffer@HARMONYWAVE.COM
SASL SSF: 56
SASL data security layer installed.
Confidentiality required (13)
Additional information: stronger confidentiality required
If I set tls instead of ssf to any number (tls=1 or greater) then I get a slightly different error message when trying to bind with SASL:
root@baneling:~/ldif_files# ldapsearch -LLL -Y GSSAPI -H ldapi:/// -b dc=harmonywave,dc=com -s base
SASL/GSSAPI authentication started
SASL username: jschaeffer@HARMONYWAVE.COM
SASL SSF: 56
SASL data security layer installed.
Confidentiality required (13)
Additional information: TLS confidentiality required
It looks like slapd has its own preference when parsing through olcSecurity. I'm really just trying to understand the preferred method for setting this up. Perhaps this isn't a real-world situation or perhaps I already answered my own question by setting just sasl and simple_bind.
Thanks,
Joshua