[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL EXTERNAL binds and sasl-secprops minssf > 0

To: openldap-technical@openldap.org
Subject: SASL EXTERNAL binds and sasl-secprops minssf > 0
From: David Hawes <dhawes@gmail.com>
Date: Sat, 5 Aug 2017 14:05:33 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=F0oV9lRBz8Zd5N0F4ktZWfrRhxLZGzT0I8E3tp133Yg=; b=F+opSUV8g5boI0ZAgD3nH2D7XUY9WbyErW8mdmiDQZmO7X4KzKH705r3pkEJ/p74ND WVA5ybOWhdoUuS2Q30Be5i3Cgnni1r9RTYL2SLB2PFIWvtIVBGhe053hbIH6zRGqXVXM XZTSiPNr93FfuiSx0amTmfCLXIth4juKU8OIuWVfjh0cR+pA4FY8BmllwgkjVQ+/t11R BL9ptxGRUNBZ12c29ABGn3EyGEoM8BkuJo1A37iJxTFG0pUtUf4WzDLNez8o+QeVJPWZ Le898zcWP5gNUAnqhmaY+uaG+enUM1l6j1LVYKxLrv0ryglcgKju7jAceMZZpQHCA11x OCew==

With ITS #8568 [1], I notice that the first SASL EXTERNAL (using TLS
client auth) bind on a connection succeeds, but subsequent SASL
EXTERNAL binds on the same connection fail with:

slapd[31088]: conn=1009 op=3 RESULT tag=97 err=48 text=SASL(-15):
mechanism too weak for this user: mech EXTERNAL is too weak

when:

sasl-secprops minssf=128

In previous OpenLDAP versions, both the initial and subsequent SASL
EXTERNAL binds succeed due to the bug in #8568.

This was a misconfiguration on my part (I should have kept the default
of 0), but I wonder if the initial SASL bind should also fail. It
seems to succeed because tls_ssf is used in connection.c:

slap_sasl_external( c, c->c_tls_ssf, &authid );


[1] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8568;selectid=8568

Prev by Date: Re: mdb broken under OpenBSD
Next by Date: Re: mdb broken under OpenBSD
Index(es):
- Chronological
- Thread