--On Saturday, February 20, 2016 7:28 PM -0700 Joshua Schaeffer jschaeffer0922@gmail.com wrote:
Yes I surmised as much. But how do I tell slapd that when I do a simple auth use the tls settings and when I do an SASL auth to use sasl settings. Can you point me to the man pages that explains this.
Set this correctly: olcSaslSecProps: <properties> Used to specify Cyrus SASL security properties. The none flag (without any other properties) causes the flag properties default, "noanonymous,noplain", to be cleared. The noplain flag disables mechanisms susceptible to simple passive attacks. The noactive flag disables mechanisms susceptible to active attacks. The nodict flag disables mechanisms susceptible to passive dictionary attacks. The noanonymous flag disables mechanisms which support anonymous login. The forwardsec flag require forward secrecy between sessions. The passcred require mechanisms which pass client credentials (and allow mechanisms which can pass credentials to do so). The minssf=<factor> property specifies the minimum acceptable security strength factor as an integer approximate to effective key length used for encryption. 0 (zero) implies no protection, 1 implies integrity protection only, 56 allows DES or other weak ciphers, 112 allows triple DES and other strong ciphers, 128 allows RC4, Blowfish and other modern strong ciphers. The default is 0. The maxssf=<factor> property specifies the maximum acceptable security strength factor as an integer (see minssf description). The default is INT_MAX. The maxbufsize=<size> property specifies the maximum security layer receive buffer size allowed. 0 disables security layers. The default is 65536.
Then only set the tls SSF in olcSecurity (drop the SASL SSF). Make sure your SASL binds *also* use TLS. Then you're covered.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc