russell-openldap@stuart.id.au wrote:

I am trying to insist that connections during sasl auth operations are encrypted. Ie, that this works:

access to attrs=userPassword by tls_ssf=128 ssf=128 anonymous auth by * none

It does work for a simple bind. But for a sasl bind it fails, and this telltale appears in the log:

slapd[26499]: <= check a_authz.sai_ssf: ACL 128 > OP 0

I fixed the issue using this patch, which applies to 2.4.5, 2.3.38 and 2.3.30:

I suppose that may be a legitimate bug, but this isn't really the correct fix. slap_auxprop_lookup is doing an internal search, so there is no network to speak of. In SSF terms it would have an SSF of "infinity".

diff -Nur openldap2.3-2.3.30/servers/slapd/sasl.c openldap2.3-2.3.30.new/servers/slapd/sasl.c --- openldap2.3-2.3.30/servers/slapd/sasl.c 2007-10-19 15:27:53.000000000 +1000 +++ openldap2.3-2.3.30.new/servers/slapd/sasl.c 2007-10-19 15:29:18.000000000 +1000 @@ -384,6 +384,7 @@ op.ors_slimit = 1; op.ors_filter = &generic_filter; op.ors_filterstr = generic_filterstr;

•                           op.o_authz = conn->c_authz;
                            /* FIXME: we want all attributes, right? */
                            op.ors_attrs = NULL;
  
  
  
  

.