Am Thu, 18 Feb 2016 22:20:16 -0700 schrieb Joshua Schaeffer jschaeffer0922@gmail.com:
On 02/18/2016 03:19 AM, Dieter Klünter wrote:
Am Wed, 17 Feb 2016 20:25:56 -0700 schrieb Joshua Schaeffer jschaeffer0922@gmail.com:
What is the proper way to setup SASL and TLS with different security strength factors? I've setup SASL on my OpenLDAP server so that it can connect to my Kerberos server using GSSAPI. I also have TLS setup for simple auth. My database config is below:
[...]
olcSecurity: sasl=56 simple_bind=256 ssf=256
ssf=x specifies the overall security, a value '1' enables security. This setting would meet your requirements: olcSecurity: ssf=1 sasl=56 tls=256
-Dieter
I updated olcSecurity and now I get the following when using simple auth:
root@immortal:/var/log/kerberos# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com -W -H ldap://baneling.harmonywave.com/????starttls -b dc=harmonywave,dc=com Enter LDAP Password: ldap_bind: Confidentiality required (13) additional info: SASL confidentiality required
I see this in the logs:
Feb 18 22:19:04 baneling slapd[22171]: conn=1005 fd=15 ACCEPT from IP=10.1.10.12:55750 (IP=0.0.0.0:389) Feb 18 22:19:04 baneling slapd[22171]: conn=1005 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Feb 18 22:19:04 baneling slapd[22171]: conn=1005 op=0 STARTTLS Feb 18 22:19:04 baneling slapd[22171]: conn=1005 op=0 RESULT oid= err=0 text= Feb 18 22:19:04 baneling slapd[22171]: conn=1005 fd=15 TLS established tls_ssf=256 ssf=256
[...]
You still have a overall security ssf=256 and it seems your TLS session used a key length lower than 256 bit, check your TLS configuration.
-Dieter