Re: (ITS#5195) ssf not available during sasl bind - openldap-bugs

26 Oct 2007


      --On Friday, October 26, 2007 9:47 AM +0000 russell-openldap@stuart.id.au 
wrote:
...
I have now tried:
security tls=128 sasl=128
It didn't work.  All the commands below work without
the 'security' option.
This says: Require a TLS section of 128 bit security AND SASL security of 
128.
...
ldapsearch -x -ZZ -D "uid=openldap,dc=auth,dc=lubemobile,dc=com,dc=au"
-w "$(ssu cat /etc/libnss-ldap.secret)" -b
"dc=pwd,dc=lubemobile,dc=com,dc=au" "(uid=it)"   ldap_bind:
You aren't using SASL here.  So of course it fails.
...
Which, when I think about it may be reasonable.  I am
apparently saying I require a sasl ssf of 128, and
obviously I don't have that.  This was a surprise
though:
Right.
...
ldapsearch -ZZ -U "openldap" -b "dc=pwd,dc=lubemobile,dc=com,dc=au"
"(uid=it)"   ldap_sasl_interactive_bind_s: Confidentiality required (13)
        additional info: SASL confidentiality required
Is that a bug?
I suggest reading the part on sasl-secprops in the slapd.conf (5) man page. 
It notes that the default is to setting is to block anonymous and plain 
SASL binds.
...
Anyway, bugs aside, assuming I now have some idea how it
works its useless for my application.  I want to insist
that userPassword to be encrypted when sent and received,
be that via CRAM-MD5 or friends or by using TLS, but clear
text is fine for the rest of the information in the ldap
database, and in fact anonymous connections unencrypted
connections are the rule for VPN access.  The 'security'
option applies to all connections.
access to userPassword
    by users read sasl_ssf=128 break
    by users read tls=128
I think might do it.
...
Anyway, to state the problem as clearly as I can, I can't
see how to do the following combination of things:
. Allow anonymous access over unencrypted connections
    for the bulk of the database.
Above acl followed by
access to *
    by * read
(or however else limited).
...
. Allow simple binds, but they must be over encrypted
    connections to protect userPassword.
See above ACL.
...
. Allow sasl binds over unencrypted connections, but
    the must not use clear text.
Read the sasl-secprops setting.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration