With ITS #8568 [1], I notice that the first SASL EXTERNAL (using TLS
client auth) bind on a connection succeeds, but subsequent SASL
EXTERNAL binds on the same connection fail with:

slapd[31088]: conn=1009 op=3 RESULT tag=97 err=48 text=SASL(-15):
mechanism too weak for this user: mech EXTERNAL is too weak

when:

sasl-secprops minssf=128

In previous OpenLDAP versions, both the initial and subsequent SASL
EXTERNAL binds succeed due to the bug in #8568.

This was a misconfiguration on my part (I should have kept the default
of 0), but I wonder if the initial SASL bind should also fail. It
seems to succeed because tls_ssf is used in connection.c:

slap_sasl_external( c, c->c_tls_ssf, &authid );


[1] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8568;selectid=8568

Reply via email to