What is the proper way to setup SASL and TLS with different security strength factors? I've setup SASL on my OpenLDAP server so that it can connect to my Kerberos server using GSSAPI. I also have TLS setup for simple auth. My database config is below:
root@baneling:~/ldif_files# slapcat -H "ldap:///olcDatabase={1}mdb,cn=config??base?" dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=harmonywave,dc=com olcAccess: {0}to attrs=userPassword,shadowLastChange,krbPrincipalKey by self write by anonymous auth by dn="cn=admin,dc=harmonywave,dc=com" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=harmonywave,dc=com olcRootPW:: e1NTSEF9dUhDcE1jUUJoWlpuc0twRHBNQkVCUGtmTFA5SC9EYUU= olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbIndex: sudoUser eq olcDbIndex: krbPrincipalName eq,pres,sub olcDbMaxSize: 1073741824 structuralObjectClass: olcMdbConfig entryUUID: caa04334-6857-1035-9fbb-dd6671002504 creatorsName: cn=admin,cn=config createTimestamp: 20160215174631Z olcSecurity: sasl=56 simple_bind=256 ssf=256 entryCSN: 20160218030327.503814Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20160218030327Z
When I set the security to "olcSecurity: sasl=56 simple_bind=256" then I can bind with SASL or simple auth. However if I set ssf=256 (or really anything higher then 56), like in the above configuration, I get an error when trying to bind with SASL:
root@baneling:~/ldif_files# ldapsearch -LLL -Y GSSAPI -H ldapi:/// -b dc=harmonywave,dc=com -s base SASL/GSSAPI authentication started SASL username: jschaeffer@HARMONYWAVE.COM SASL SSF: 56 SASL data security layer installed. Confidentiality required (13) Additional information: stronger confidentiality required
If I set tls instead of ssf to any number (tls=1 or greater) then I get a slightly different error message when trying to bind with SASL:
root@baneling:~/ldif_files# ldapsearch -LLL -Y GSSAPI -H ldapi:/// -b dc=harmonywave,dc=com -s base SASL/GSSAPI authentication started SASL username: jschaeffer@HARMONYWAVE.COM SASL SSF: 56 SASL data security layer installed. Confidentiality required (13) Additional information: TLS confidentiality required
It looks like slapd has its own preference when parsing through olcSecurity. I'm really just trying to understand the preferred method for setting this up. Perhaps this isn't a real-world situation or perhaps I already answered my own question by setting just sasl and simple_bind.
Thanks, Joshua