[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ssf settings for SASL and TLS



Am Thu, 18 Feb 2016 22:20:16 -0700
schrieb Joshua Schaeffer <jschaeffer0922@gmail.com>:

> On 02/18/2016 03:19 AM, Dieter Klünter wrote:
> > Am Wed, 17 Feb 2016 20:25:56 -0700
> > schrieb Joshua Schaeffer <jschaeffer0922@gmail.com>:
> >
> >> What is the proper way to setup SASL and TLS with different
> >> security strength factors? I've setup SASL on my OpenLDAP server
> >> so that it can connect to my Kerberos server using GSSAPI. I also
> >> have TLS setup for simple auth. My database config is below:
> > [...]
> >> olcSecurity: sasl=56 simple_bind=256 ssf=256
> >
> > ssf=x specifies the overall security, a value '1' enables security.
> > This setting would meet your requirements:
> > olcSecurity: ssf=1 sasl=56 tls=256
> >
> >
> > -Dieter
> >
> 
> I updated olcSecurity and now I get the following when using simple
> auth:
> 
> root@immortal:/var/log/kerberos# ldapsearch -LLL -x -D
> cn=admin,dc=harmonywave,dc=com -W -H
> ldap://baneling.harmonywave.com/????starttls -b dc=harmonywave,dc=com
> Enter LDAP Password: ldap_bind: Confidentiality required (13)
> additional info: SASL confidentiality required
> 
> I see this in the logs:
> 
> Feb 18 22:19:04 baneling slapd[22171]: conn=1005 fd=15 ACCEPT from
> IP=10.1.10.12:55750 (IP=0.0.0.0:389) Feb 18 22:19:04 baneling
> slapd[22171]: conn=1005 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Feb 18
> 22:19:04 baneling slapd[22171]: conn=1005 op=0 STARTTLS Feb 18
> 22:19:04 baneling slapd[22171]: conn=1005 op=0 RESULT oid= err=0
> text= Feb 18 22:19:04 baneling slapd[22171]: conn=1005 fd=15 TLS
> established tls_ssf=256 ssf=256 
[...]

You still have a overall security ssf=256 and it seems your TLS session
used a key length lower than 256 bit, check your TLS configuration.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E