Am Thu, 18 Feb 2016 22:20:16 -0700 schrieb Joshua Schaeffer <[email protected]>:
> On 02/18/2016 03:19 AM, Dieter Klünter wrote: > > Am Wed, 17 Feb 2016 20:25:56 -0700 > > schrieb Joshua Schaeffer <[email protected]>: > > > >> What is the proper way to setup SASL and TLS with different > >> security strength factors? I've setup SASL on my OpenLDAP server > >> so that it can connect to my Kerberos server using GSSAPI. I also > >> have TLS setup for simple auth. My database config is below: > > [...] > >> olcSecurity: sasl=56 simple_bind=256 ssf=256 > > > > ssf=x specifies the overall security, a value '1' enables security. > > This setting would meet your requirements: > > olcSecurity: ssf=1 sasl=56 tls=256 > > > > > > -Dieter > > > > I updated olcSecurity and now I get the following when using simple > auth: > > root@immortal:/var/log/kerberos# ldapsearch -LLL -x -D > cn=admin,dc=harmonywave,dc=com -W -H > ldap://baneling.harmonywave.com/????starttls -b dc=harmonywave,dc=com > Enter LDAP Password: ldap_bind: Confidentiality required (13) > additional info: SASL confidentiality required > > I see this in the logs: > > Feb 18 22:19:04 baneling slapd[22171]: conn=1005 fd=15 ACCEPT from > IP=10.1.10.12:55750 (IP=0.0.0.0:389) Feb 18 22:19:04 baneling > slapd[22171]: conn=1005 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Feb 18 > 22:19:04 baneling slapd[22171]: conn=1005 op=0 STARTTLS Feb 18 > 22:19:04 baneling slapd[22171]: conn=1005 op=0 RESULT oid= err=0 > text= Feb 18 22:19:04 baneling slapd[22171]: conn=1005 fd=15 TLS > established tls_ssf=256 ssf=256 [...] You still have a overall security ssf=256 and it seems your TLS session used a key length lower than 256 bit, check your TLS configuration. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
