Re: (ITS#5195) ssf not available during sasl bind

Friday, 26 October 2007

On Fri, 2007-10-26 at 19:59 -0700, Quanah Gibson-Mount wrote:
...
 >   ldapsearch -ZZ -U "openldap" -b
"dc=pwd,dc=lubemobile,dc=com,dc=au"
 > "(uid=it)"   ldap_sasl_interactive_bind_s: Confidentiality required (13)
 >         additional info: SASL confidentiality required
 >
 > Is that a bug?

 I suggest reading the part on sasl-secprops in the slapd.conf (5) man page. 
 It notes that the default is to setting is to block anonymous and plain 
 SASL binds. 
I suspect you are right in that is the cause of the
problem because a -Y DIGEST-MD5 fixes it.  But, as
I said, it worked before the security option was
added.  It worked because DIGEST-MD5 was the default.
So why isn't it the default now?

Now that you have pointed it out, I guess that the 
addition of the 'security'  option prevented SASL 
from searching dn="" for the types of authentications 
supported.  

...
 access to userPassword
 	by users read sasl_ssf=128 break
 	by users read tls=128

 I think might do it. 
You would think that would do it - certainly I did.  But
you would be wrong.  Currently it doesn't, and that is
what this ITS is about.  The patch I supplied with the
initial bug report changes things so it does work.

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006