[Fedora-directory-users] sasl encryption not supported over ssl error
Howard Chu
hyc at symas.com
Tue Feb 13 17:44:16 UTC 2007
> Date: Mon, 12 Feb 2007 11:17:10 -0700
> From: David Boreham <david_list at boreham.org>
>>Yu Joe wrote:
>> > Dear all
>> >
>> > I tried to make my FDS work with sasl(digest-md5)+SSL. I can get
>> > correct result by "ldapsearch -Y digest-md5 -U sasl1 ..." or
>> > "ldapsearch -x -D 'cn=Directory Manager' -W -H
>> > ldaps://rhds.example.com...".
>> > But I got the error message such as "*sasl encryption not supported
>> > over ssl"*, when I execute command like "ldapsearch -Y digest-md5 -U
>> > sasl1 -H ldaps://rhds.example.com ...". Some of my friends tell me
>> > this works on openldap. So I suggest it must be also working on FDS.
>> > Is that right? If so, what's the probably reason causes this error? Or
>> > it just really don't support? Please helps, thanks a lot.
>
> No, it really doesn't work. But why are you wanting both SSL and SASL
> privacy ?
Always an interesting question but yes, for the record, it works fine in
OpenLDAP.
> For the curious, the way the SSL I/O is layered in the server is not
> compatible with
> the implementation of SASL encryption (they're both trying to layer at
> the same place
> in the I/O stack). With sufficient motivation I suspect that SASL over
> SSL could be done,
> but the question is why would anyone want to do that..
The OpenLDAP implementation allows an arbitrary number of encoders/parsers to
be layered on the I/O stack.
http://www.openldap.org/devel/cvsweb.cgi/doc/man/man3/lber-sockbuf.3
As Pete Rowley would say, it's always better to have the choice available to
you. You never know what future requirements may come along, after all, and
some people may decide that triple-DES or AES by itself isn't strong enough
(paranoid enough?).
> Perhaps all you need to do is to turn off SASL payload encryption. SASL
> authentication
> with an SSL connection should work ok.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the Fedora-directory-users
mailing list