directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill MacAllister <...@stanford.edu>
Subject Re: [Studio] SSL (ldaps) connection only with tls_ssf=128 instead of 256
Date Tue, 01 Mar 2011 15:57:26 GMT


--On Tuesday, February 22, 2011 04:42:23 PM +0100 Natalia <nata.cs2@gmail.com> wrote:

> Hi,
>
> if there is now something new with this question?
> I want only to know, whether there is hope to solve the problem.

The issue is not with ApacheDS but with the underlying SASL/Kerberos
libraries.  It is my understanding that the actual ssf that was
negioated by SASL is not reported back to the directory server.  The
value 56 will be reported back to the directory server in all cases.
Note that this issue is not restricted to Apache DS.  What this means
in practical terms is that you cannot enforce the use of strong
ciphers with the sasl_ssf.  You can only enforce that encryption is
used.  This tends to not be an issue for Kerberos because strong
ciphers can be enforced by the KDC.

Bill


> Thank you in advance for answer
>
> Best regards,
>
> Natalia
>
> 2011/2/16 Natalia <nata.cs2@gmail.com>
>
>> Hi,
>>
>> i use GSSAPI (Kerberos) with "Authentication with integrity and privacy
>> protection". In logs it looks:
>>
>> BIND dn="<my dn>" mech=GSSAPI sasl_ssf=56 ssf=56
>>
>> It is same with Apache DS and ldapsearch.
>>
>> Best regards,
>>
>> Natalia
>>
>>
>> 2011/2/15 Pierre-Arnaud Marcelot <pa@marcelot.net>
>>
>> Hi Natalia,
>>>
>>> What kind of Quality of Protection (QOP) are you using for the connection?
>>>
>>> Regards,
>>> Pierre-Arnaud
>>> On mardi 15 février 2011 at 13:48, Natalia wrote:
>>> > Hi,
>>> >
>>> > I use Apache Directory Studio. I have taken for the connection to LDAP
>>> > server the Encryption methode SSL. But in the log file of LDAP I see:
>>> > TLS established tls_ssf=128 ssf=128
>>> >
>>> > Instead of:
>>> > TLS established tls_ssf=256 ssf=256
>>> > what gets I after the connection with GQ (anothe LDAP Browser) or
>>> ldapsearch
>>> > -H "ldaps://...
>>> >
>>> > I have tried with StartTLS - result is always same. What I can make to
>>> bind
>>> > with tls_ssf=256 to LDAP? It is necessary from the existed ACLs.
>>> >
>>> > Thank you in advance for your help
>>> >
>>> > Kind regards,
>>> >
>>> > Natalia
>>> >
>>>
>>
>>

-- 

Bill MacAllister
Infrastructure Delivery Group, Stanford University


Mime
View raw message