Bug 35513 - AD Member Mode: add sasl_secprops_maxssf=... to ldap.conf for sasl authentication with AD
AD Member Mode: add sasl_secprops_maxssf=... to ldap.conf for sasl authentica...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-2-errata
Assigned To: Felix Botner
Arvid Requate
:
Depends on:
Blocks: 34091
  Show dependency treegraph
 
Reported: 2014-07-29 15:26 CEST by Felix Botner
Modified: 2014-08-07 17:49 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2014-07-29 15:26:33 CEST
We need to set sasl_secprops_maxssf=128 to successfully bind to an AD with kerberos/sasl.
Comment 1 Felix Botner univentionstaff 2014-07-29 16:01:11 CEST
branch 3.2-2 and 3.2-3

* added ldap/sasl/secprops/maxssf to univention-ldap

* in univention-lib/python/admember.py added set 
  ldap/sasl/secprops/maxssf=128 in enable_ssl and
  unset ldap/sasl/secprops/maxssf in disable_sll

YAML: 2014-07-29-univention-ldap.yaml
Comment 2 Arvid Requate univentionstaff 2014-07-30 19:00:15 CEST
Works.

root@master71:~# python -c 'import univention.lib.admember as ad; ad.enable_ssl()'
Setting connector/ad/ldap/ssl
Setting ldap/sasl/secprops/maxssf
File: /etc/ldap/ldap.conf
root@master71:~# grep maxssf /etc/ldap/ldap.conf
sasl_secprops_maxssf=128

root@master71:~# python -c 'import univention.lib.admember as ad; ad.disable_ssl()'
Setting connector/ad/ldap/ssl
Unsetting ldap/sasl/secprops/maxssf
File: /etc/ldap/ldap.conf
root@master71:~# grep maxssf /etc/ldap/ldap.conf || echo gone
gone

Advisory: OK
Comment 3 Janek Walkenhorst univentionstaff 2014-08-07 17:49:55 CEST
http://errata.univention.de/ucs/3.2/176.html