Bug 479077

Summary: Server to Server SASL/DIGEST-MD5 not Supported over SSL/TLS
Product: Red Hat Directory Server Reporter: Jenny Severance <jgalipea>
Component: Security - SASLAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 8.1CC: benl, nkinder
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 8.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-29 23:09:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 249650, 493682    
Attachments:
Description Flags
diffs
none
cvs commit log none

Description Jenny Severance 2009-01-06 21:54:38 UTC
Description of problem:
When configuring replication agreement to bind with SASL/DIGEST-MD5 over SSL or TLS - the following errors occurs and replication fails:

[06/Jan/2009:15:23:36 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-
MD5]: error 1 (Operations error) (sasl encryption not supported over ssl)
[06/Jan/2009:15:23:36 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-MD5]: error 1 (Op
erations error)
[06/Jan/2009:15:23:36 -0500] NSMMReplicationPlugin - agmt="cn=S1 to S2 MMR" (jennyv1:24214): Replication bind with DIGEST-MD5 auth failed: LDAP error 1 (Operation
s error) (sasl encryption not supported over ssl)
[06/Jan/2009:15:23:36 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-
MD5]: error 1 (Operations error) (sasl encryption not supported over ssl)
[06/Jan/2009:15:23:36 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-MD5]: error 1 (Op
erations error)
[06/Jan/2009:15:23:36 -0500] NSMMReplicationPlugin - agmt="cn=S1 to C1" (jennyv1:24216): Replication bind with DIGEST-MD5 auth failed: LDAP error 1 (Operations er
ror) (sasl encryption not supported over ssl)
[06/Jan/2009:15:23:37 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-
MD5]: error 1 (Operations error) (sasl encryption not supported over ssl)
[06/Jan/2009:15:23:37 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-MD5]: error 1 (Op
erations error)

Per Rich:
"looks like I need to turn off sasl layer encryption if using ssl"

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Set up replication with SASL/DIGEST-MD5 - SSL
2. View errors logs after initializing consumer
  
Actual results:
sasl encryption not supported over ssl errors

Expected results:
successful replication bind and successful replication.

Additional info:

Comment 1 Rich Megginson 2009-01-06 22:28:48 UTC
Created attachment 328326 [details]
diffs

Comment 2 Nathan Kinder 2009-01-06 22:37:24 UTC
With the change in comment #1, will DIGEST-MD5 work?  I think it will still fail since it DIGEST-MD5 won't meet the maxssf criteria (it has a ssf of 1 I believe).

Comment 3 Rich Megginson 2009-01-06 22:52:38 UTC
DIGEST-MD5 forces a minssf of 1?

Comment 4 Nathan Kinder 2009-01-07 00:07:32 UTC
I just know that it will have a ssf of 1 by default from my tests.  If you specify a maxssf of 0 with DIGEST-MD5 and it works, then your change should be fine.

Comment 5 Rich Megginson 2009-01-07 02:33:54 UTC
Created attachment 328338 [details]
cvs commit log

Reviewed by: nkinder (Thanks!)
Fix Description: If using TLS/SSL, we don't need to use a sasl security layer, so just set the maxssf to 0.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no

Comment 6 Jenny Severance 2009-02-24 20:41:43 UTC
fixed and being tested by server to server sasl automated acceptance tests.

Comment 7 Chandrasekar Kannan 2009-04-29 23:09:06 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html