Description of problem: When configuring replication agreement to bind with SASL/DIGEST-MD5 over SSL or TLS - the following errors occurs and replication fails: [06/Jan/2009:15:23:36 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST- MD5]: error 1 (Operations error) (sasl encryption not supported over ssl) [06/Jan/2009:15:23:36 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-MD5]: error 1 (Op erations error) [06/Jan/2009:15:23:36 -0500] NSMMReplicationPlugin - agmt="cn=S1 to S2 MMR" (jennyv1:24214): Replication bind with DIGEST-MD5 auth failed: LDAP error 1 (Operation s error) (sasl encryption not supported over ssl) [06/Jan/2009:15:23:36 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST- MD5]: error 1 (Operations error) (sasl encryption not supported over ssl) [06/Jan/2009:15:23:36 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-MD5]: error 1 (Op erations error) [06/Jan/2009:15:23:36 -0500] NSMMReplicationPlugin - agmt="cn=S1 to C1" (jennyv1:24216): Replication bind with DIGEST-MD5 auth failed: LDAP error 1 (Operations er ror) (sasl encryption not supported over ssl) [06/Jan/2009:15:23:37 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST- MD5]: error 1 (Operations error) (sasl encryption not supported over ssl) [06/Jan/2009:15:23:37 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-MD5]: error 1 (Op erations error) Per Rich: "looks like I need to turn off sasl layer encryption if using ssl" Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Set up replication with SASL/DIGEST-MD5 - SSL 2. View errors logs after initializing consumer Actual results: sasl encryption not supported over ssl errors Expected results: successful replication bind and successful replication. Additional info:
Created attachment 328326 [details] diffs
With the change in comment #1, will DIGEST-MD5 work? I think it will still fail since it DIGEST-MD5 won't meet the maxssf criteria (it has a ssf of 1 I believe).
DIGEST-MD5 forces a minssf of 1?
I just know that it will have a ssf of 1 by default from my tests. If you specify a maxssf of 0 with DIGEST-MD5 and it works, then your change should be fine.
Created attachment 328338 [details] cvs commit log Reviewed by: nkinder (Thanks!) Fix Description: If using TLS/SSL, we don't need to use a sasl security layer, so just set the maxssf to 0. Platforms tested: RHEL5 Flag Day: no Doc impact: no
fixed and being tested by server to server sasl automated acceptance tests.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html