[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Fedora-directory-users] sasl encryption not supported over ssl error



Date: Mon, 12 Feb 2007 11:17:10 -0700
> From: David Boreham <david_list boreham org>

>>Yu Joe wrote:
> Dear all
>
> I tried to make my FDS work with sasl(digest-md5)+SSL. I can get > correct result by "ldapsearch -Y digest-md5 -U sasl1 ..." or > "ldapsearch -x -D 'cn=Directory Manager' -W -H > ldaps://rhds.example.com...". > But I got the error message such as "*sasl encryption not supported > over ssl"*, when I execute command like "ldapsearch -Y digest-md5 -U > sasl1 -H ldaps://rhds.example.com ...". Some of my friends tell me > this works on openldap. So I suggest it must be also working on FDS. > Is that right? If so, what's the probably reason causes this error? Or > it just really don't support? Please helps, thanks a lot.

No, it really doesn't work. But why are you wanting both SSL and SASL privacy ?

Always an interesting question but yes, for the record, it works fine in OpenLDAP.

For the curious, the way the SSL I/O is layered in the server is not compatible with the implementation of SASL encryption (they're both trying to layer at the same place in the I/O stack). With sufficient motivation I suspect that SASL over SSL could be done,
but the question is why would anyone want to do that..

The OpenLDAP implementation allows an arbitrary number of encoders/parsers to be layered on the I/O stack.
http://www.openldap.org/devel/cvsweb.cgi/doc/man/man3/lber-sockbuf.3
As Pete Rowley would say, it's always better to have the choice available to you. You never know what future requirements may come along, after all, and some people may decide that triple-DES or AES by itself isn't strong enough (paranoid enough?).

Perhaps all you need to do is to turn off SASL payload encryption. SASL authentication
with an SSL connection should work ok.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  Chief Architect, OpenLDAP     http://www.openldap.org/project/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]