In 'man slapd.conf',
sasl-secprops <properties> ... minssf=<factor... The default is 0.
If I set values in /etc/openldap/slapd.conf, and test security layer strength,
(1) sasl-secprops noanonymous,noplain,noactive
ldapwhoami -ZZ SASL SSF: 56
(2) sasl-secprops noanonymous,noplain,noactive,minssf=128
ldapwhoami -ZZ SASL SSF: 56
(3) sasl-secprops noanonymous,noplain,noactive,minssf=128,maxssf=256
ldapwhoami -ZZ SASL SSF: 0
I'd expected for the 3 cases,
(1) SASL SSF: 0 <- default (2) SASL SSF: 128 <- set by minssf (3) SASL SSF: 128 <- set by minssf
Am I correct in my understanding that "SASL SSF" is supposed to track with the sasl-secprops properties?
If yes, is there more config required? A bug, maybe?
If no, how do I correctcly set/verify SASL SSF strength?
Thanks.
update:
I fell across a 2-year old, seemingly-relevant post:
http://www.openldap.org/lists/openldap-software/200609/msg00148.html
"The Cyrus SASL GSSAPI module currently doesn't know how to report the actual SSF in effect. It is hardcoded to report 56. Some versions assume that triple-DES is available and report 112, depending on the Kerberos library you compiled with. Anyway, this is not a limitation in OpenLDAP, it's a bug in Cyrus SASL."
Could what I'm seeing be the result of this as yet (still) unresolved bug?