--On Tuesday, February 22, 2011 04:42:23 PM +0100 Natalia <[email protected]>
wrote:
Hi,
if there is now something new with this question?
I want only to know, whether there is hope to solve the problem.
The issue is not with ApacheDS but with the underlying SASL/Kerberos
libraries. It is my understanding that the actual ssf that was
negioated by SASL is not reported back to the directory server. The
value 56 will be reported back to the directory server in all cases.
Note that this issue is not restricted to Apache DS. What this means
in practical terms is that you cannot enforce the use of strong
ciphers with the sasl_ssf. You can only enforce that encryption is
used. This tends to not be an issue for Kerberos because strong
ciphers can be enforced by the KDC.
Bill
Thank you in advance for answer
Best regards,
Natalia
2011/2/16 Natalia <[email protected]>
Hi,
i use GSSAPI (Kerberos) with "Authentication with integrity and privacy
protection". In logs it looks:
BIND dn="<my dn>" mech=GSSAPI sasl_ssf=56 ssf=56
It is same with Apache DS and ldapsearch.
Best regards,
Natalia
2011/2/15 Pierre-Arnaud Marcelot <[email protected]>
Hi Natalia,
What kind of Quality of Protection (QOP) are you using for the connection?
Regards,
Pierre-Arnaud
On mardi 15 février 2011 at 13:48, Natalia wrote:
> Hi,
>
> I use Apache Directory Studio. I have taken for the connection to LDAP
> server the Encryption methode SSL. But in the log file of LDAP I see:
> TLS established tls_ssf=128 ssf=128
>
> Instead of:
> TLS established tls_ssf=256 ssf=256
> what gets I after the connection with GQ (anothe LDAP Browser) or
ldapsearch
> -H "ldaps://...
>
> I have tried with StartTLS - result is always same. What I can make to
bind
> with tls_ssf=256 to LDAP? It is necessary from the existed ACLs.
>
> Thank you in advance for your help
>
> Kind regards,
>
> Natalia
>
--
Bill MacAllister
Infrastructure Delivery Group, Stanford University
