Kurt D. Zeilenga | 1 Jun 03:37 2004

RE: Heimdal/OpenLDAP/Samba howto and bugreport

At 12:22 PM 5/31/2004, Howard Chu wrote:
>> -----Original Message-----
>> From: owner-heimdal-discuss <at> sics.se
>> [mailto:owner-heimdal-discuss <at> sics.se]On Behalf Of Kurt D. Zeilenga
>
>> Regarding commenting out sasl-secprops minssf=128, it might
>> be better to instead lower the minssf to 70.  The base SSF of
>> ldapi:// is currently 71.  We figured that use of ldapi:// was better
>> than weak encryption (<65) but not as good as stronger
>> encryption (>95), hence the 71.  The ldapi:// SSF should really
>> be a configurable option.  I'll add that to our TODO list.
>
>No, that won't work. The minssf here is used to select eligible SASL
>mechanisms to offer to the client,

Right.  When ldapi:// is used, slapd(8) sets the transport
SSF to 71 so that mechanisms which can met the minssf
are available.

>and SASL/EXTERNAL always has an SSF of
>zero as far as the SASL library is concerned.

I was under the impression it was only offered when
the minssf was satisfied by the transport as SASL/EXTERNAL
doesn't itself improve the ssf.  Will have to read through
Cyrus SASL server.c again to figure out exactly...
I just saw this comment:
 * IF mech strength + external strength < min ssf THEN FAIL
I thought it was (and, IMO, should be):
 * If max(mech strength, external strength) < min ssf THEN FAIL.
(Continue reading)

Andrew Bartlett | 1 Jun 05:14 2004
Love | 1 Jun 09:19 2004
Andrew Bartlett | 1 Jun 09:47 2004
Love | 2 Jun 16:28 2004
Henry B. Hotz | 2 Jun 23:34 2004
Johan Danielsson | 3 Jun 08:20 2004
The Shell | 3 Jun 17:54 2004
Michael Ströder | 4 Jun 17:33 2004
Tarjei Huse | 4 Jun 17:41 2004

Gmane