Kerberos/LDAP/SASL central authentication server howto

Markus Moeller huaraz at moeller.plus.com
Tue Aug 10 06:05:11 EDT 2004


Nikola,  
  
If you look athe the slapd.conf help you find:  
 
sasl-secprops <properties> 
              Used to specify  Cyrus  SASL  security  properties.  
              The  none  flag  (without  any  other  properities)  
              causes     the     flag     properites     default,  
              "noanonymous,noplain",  to be cleared.  The noplain  
              flag  disables  mechanisms  susceptible  to  simple  
              passive   attacks.    The  noactive  flag  disables  
              mechanisms  susceptible  to  active  attacks.   The  
              nodict  flag  disables  mechanisms  susceptible  to  
              passive dictionary attacks.   The  noanonyous  flag  
              disables  mechanisms which support anonymous login.  
              The forwardsec flag require forward secrecy between  
              sessions.   The  passcred  require mechanisms which  
              pass client credentials (and allow mechanisms which  
              acceptable  security  strength factor as an integer  
              approximate  to  effective  key  length  used   for  
              encryption.   0  (zero)  implies  no  protection, 1  
              implies integrity protection only, 56 allows DES or  
              other weak ciphers, 112 allows triple DES and other  
              strong ciphers, 128 allows RC4, Blowfish and  other  
              modern  strong  ciphers.   The  default  is 0.  The  
              maxssf=<factor>  property  specifies  the   maximum  
              acceptable  security  strength factor as an integer  
              (see minssf description).  The default is  INT_MAX.  
              The   maxbufsize=<size>   property   specifies  the  
              maximum security layer receive buffer size allowed.  
              0  disables security layers.  The default is 65536.  
  
I tried to use the -O minssf=128 with ldapsearch against AD, but get a failure although I use the latest heimdal library which supports 
rc4-hmac. I can see that I have an arcfour-hmac-md5 ticket for the ldap/server principal and would assume that rc4-hmace allows the 
higher encryption. 
 
Any ideas why not ? 
 
Thanks 
Markus 
 
  
  
  
On Tue, 10 Aug 2004 10:54 , Nikola Milutinovic <Nikola.Milutinovic at ev.co.yu> sent:  
  
>This is a cross-post to Cyrus INFO list. The question raised here is   
>whether GSS-API and *-MD5 SASL mechanisms secure the entire   
>communication, not just the authentication phase, thus making SSL/TLS   
>unnecessary.  
>  
>Tarjei Huse wrote:  
>  
>>>>?? I didn't know , sorry. Please tell me more on how I can use GSSAPI instead of  
>>>>tls to secure not only authentication but everything that happens over the  
>>>>wire.  
>>>  
>>>It really depends on the client tool. Not only does GSSAPI provide this, DIGEST-MD5  
>>>also.  
>  
>Never heard of this. I was always under the impression that both GSS-API   
>and *-MD5 methods secured only the authentication, not the entire   
>channel data transfer.  
>  
>>>Examples of such tools that I'm 100% aware of are ldapsearch and mutt when doing SASL  
>>>authentication.  
>>>  
>>>With ldapsearch, for example:  
>>>$ ldapsearch -h ldap.server | head -5  
>>>SASL/GSSAPI authentication started  
>>>SASL username: andreas at DISTRO.CONECTIVA  
>>>SASL SSF: 56    
>  
>No. It simply means that authentication type is of SSF (Security   
>Strength Factor) 56. I'm not sure if the SSF has anything to do with   
>number of bits used as (some) private key length. Anyway, this is saying   
>nothing about the rest of the communication, just the authentication part.  
>  
>>>SASL installing layers  
>>>(...)  
>>>  
>>>With digest-md5:  
>>>$ ldapsearch -h ldap.server -Y digest-md5 | head -5  
>>>SASL/DIGEST-MD5 authentication started  
>>>Please enter your password:  
>>>SASL username: andreas  
>>>SASL SSF: 128    
>  
>Again, just the auth phase is covered here.  
>  
>I'm crossposting to the SASL mailing list in hopes someone can shed some   
>light on the matter.  
>  
>Nix.  
--   
Markus Moeller <huaraz at moeller.plus.com>  




More information about the Info-cyrus mailing list