Bug 35513

Summary: AD Member Mode: add sasl_secprops_maxssf=... to ldap.conf for sasl authentication with AD
Product: UCS Reporter: Felix Botner <botner>
Component: LDAPAssignee: Felix Botner <botner>
Status: CLOSED FIXED QA Contact: Arvid Requate <requate>
Severity: normal    
Priority: P5 CC: gohmann, walkenhorst
Version: UCS 3.2   
Target Milestone: UCS 3.2-2-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 34091    

Description Felix Botner univentionstaff 2014-07-29 15:26:33 CEST 
We need to set sasl_secprops_maxssf=128 to successfully bind to an AD with kerberos/sasl.
Comment 1 Felix Botner univentionstaff 2014-07-29 16:01:11 CEST 
branch 3.2-2 and 3.2-3

* added ldap/sasl/secprops/maxssf to univention-ldap

* in univention-lib/python/admember.py added set 
  ldap/sasl/secprops/maxssf=128 in enable_ssl and
  unset ldap/sasl/secprops/maxssf in disable_sll

YAML: 2014-07-29-univention-ldap.yaml
Comment 2 Arvid Requate univentionstaff 2014-07-30 19:00:15 CEST 
Works.

root@master71:~# python -c 'import univention.lib.admember as ad; ad.enable_ssl()'
Setting connector/ad/ldap/ssl
Setting ldap/sasl/secprops/maxssf
File: /etc/ldap/ldap.conf
root@master71:~# grep maxssf /etc/ldap/ldap.conf
sasl_secprops_maxssf=128

root@master71:~# python -c 'import univention.lib.admember as ad; ad.disable_ssl()'
Setting connector/ad/ldap/ssl
Unsetting ldap/sasl/secprops/maxssf
File: /etc/ldap/ldap.conf
root@master71:~# grep maxssf /etc/ldap/ldap.conf || echo gone
gone

Advisory: OK
Comment 3 Janek Walkenhorst univentionstaff 2014-08-07 17:49:55 CEST 
http://errata.univention.de/ucs/3.2/176.html