[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ssf settings for SASL and TLS

To: Joshua Schaeffer <jschaeffer0922@gmail.com>, Michael Ströder <michael@stroeder.com>, openldap-technical@openldap.org
Subject: Re: ssf settings for SASL and TLS
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Sat, 20 Feb 2016 18:59:11 -0800
Content-disposition: inline
Dkim-filter: OpenDKIM Filter v2.10.3 edge01.zimbra.com 5F12444366
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zimbra.com; s=C2AA288C-EE47-11E2-9BB0-E820BDD9BDBF; t=1456023556; bh=bAIawq22YEIC81ELrxRptg/jo0aonA1FTTDcH69jVC4=; h=Date:From:To:Message-ID:MIME-Version; b=qO44b7/KtEcDxjI4X3d1UFxu+aS85IxHGfcIMgfUwG2ZveeirrMT/iQjrllwMHkhR gGBoQ4N2oalHWQBiZ51b1cqiKdlAQqrrTYibXWSb6hD3zAPEsE7G8bpc5TWYJfNu2Y InqDsvKyhW+BMM1L9cUJPD7I/8D3x2LlgP8JaxEU=
In-reply-to: <56C920C7.4010605@gmail.com>
References: <56C539C4.80200@gmail.com> <20160218111940.27f59ba7@pink.avci.de> <56C6A610.50805@gmail.com> <56C6D044.7040702@stroeder.com> <56C920C7.4010605@gmail.com>

--On Saturday, February 20, 2016 7:28 PM -0700 Joshua Schaeffer<jschaeffer0922@gmail.com> wrote:

Yes I surmised as much. But how do I tell slapd that when I do a simple
auth use the tls settings and when I do an SASL auth to use sasl
settings. Can you point me to the man pages that explains this.


Set this correctly:
      olcSaslSecProps: <properties>

Used to specify Cyrus SASL security properties. The noneflag(without any other properties) causes the flagpropertiesdefault, "noanonymous,noplain", to be cleared. The noplainflagdisables mechanisms susceptible to simple passive attacks.Thenoactive flag disables mechanisms susceptible to activeattacks.The nodict flag disables mechanisms susceptible topassivedictionary attacks. The noanonymous flag disablesmechanismswhich support anonymous login. The forwardsec flagrequireforward secrecy between sessions. The passcredrequiremechanisms which pass client credentials (and allowmechanismswhich can pass credentials to do so). Theminssf=<factor>property specifies the minimum acceptable securitystrengthfactor as an integer approximate to effective key lengthusedfor encryption. 0 (zero) implies no protection, 1impliesintegrity protection only, 56 allows DES or other weakciphers,112 allows triple DES and other strong ciphers, 128 allowsRC4,Blowfish and other modern strong ciphers. The default is0.The maxssf=<factor> property specifies the maximumacceptablesecurity strength factor as an integer (see minssfdescription).The default is INT_MAX. The maxbufsize=<size>propertyspecifies the maximum security layer receive buffersize

             allowed.  0 disables security layers.  The default is 65536.

Then only set the tls SSF in olcSecurity (drop the SASL SSF). Make sureyour SASL binds *also* use TLS. Then you're covered.


--Quanah



--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration
A division of Synacor, Inc

Follow-Ups:
- Re: ssf settings for SASL and TLS
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>

References:
- ssf settings for SASL and TLS
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>
- Re: ssf settings for SASL and TLS
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: ssf settings for SASL and TLS
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>
- Re: ssf settings for SASL and TLS
  - From: Michael Ströder <michael@stroeder.com>
- Re: ssf settings for SASL and TLS
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>

Prev by Date: Re: ssf settings for SASL and TLS
Next by Date: Re: ssf settings for SASL and TLS
Index(es):
- Chronological
- Thread