Bug 479077 - Server to Server SASL/DIGEST-MD5 not Supported over SSL/TLS
Server to Server SASL/DIGEST-MD5 not Supported over SSL/TLS
Status: CLOSED CURRENTRELEASE
Product: Red Hat Directory Server
Classification: Red Hat
Component: Security - SASL (Show other bugs)
8.1
All Linux
high Severity high
: ---
: ---
Assigned To: Rich Megginson
Chandrasekar Kannan
:
Depends On:
Blocks: 249650 FDS1.2.0
  Show dependency treegraph
 
Reported: 2009-01-06 16:54 EST by Jenny Galipeau
Modified: 2015-01-04 18:35 EST (History)
2 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-29 19:09:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
diffs (1.03 KB, patch)
2009-01-06 17:28 EST, Rich Megginson
no flags Details | Diff
cvs commit log (163 bytes, text/plain)
2009-01-06 21:33 EST, Rich Megginson
no flags Details

  None (edit)
Description Jenny Galipeau 2009-01-06 16:54:38 EST
Description of problem:
When configuring replication agreement to bind with SASL/DIGEST-MD5 over SSL or TLS - the following errors occurs and replication fails:

[06/Jan/2009:15:23:36 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-
MD5]: error 1 (Operations error) (sasl encryption not supported over ssl)
[06/Jan/2009:15:23:36 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-MD5]: error 1 (Op
erations error)
[06/Jan/2009:15:23:36 -0500] NSMMReplicationPlugin - agmt="cn=S1 to S2 MMR" (jennyv1:24214): Replication bind with DIGEST-MD5 auth failed: LDAP error 1 (Operation
s error) (sasl encryption not supported over ssl)
[06/Jan/2009:15:23:36 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-
MD5]: error 1 (Operations error) (sasl encryption not supported over ssl)
[06/Jan/2009:15:23:36 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-MD5]: error 1 (Op
erations error)
[06/Jan/2009:15:23:36 -0500] NSMMReplicationPlugin - agmt="cn=S1 to C1" (jennyv1:24216): Replication bind with DIGEST-MD5 auth failed: LDAP error 1 (Operations er
ror) (sasl encryption not supported over ssl)
[06/Jan/2009:15:23:37 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-
MD5]: error 1 (Operations error) (sasl encryption not supported over ssl)
[06/Jan/2009:15:23:37 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-MD5]: error 1 (Op
erations error)

Per Rich:
"looks like I need to turn off sasl layer encryption if using ssl"

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Set up replication with SASL/DIGEST-MD5 - SSL
2. View errors logs after initializing consumer
  
Actual results:
sasl encryption not supported over ssl errors

Expected results:
successful replication bind and successful replication.

Additional info:
Comment 1 Rich Megginson 2009-01-06 17:28:48 EST
Created attachment 328326 [details]
diffs
Comment 2 Nathan Kinder 2009-01-06 17:37:24 EST
With the change in comment #1, will DIGEST-MD5 work?  I think it will still fail since it DIGEST-MD5 won't meet the maxssf criteria (it has a ssf of 1 I believe).
Comment 3 Rich Megginson 2009-01-06 17:52:38 EST
DIGEST-MD5 forces a minssf of 1?
Comment 4 Nathan Kinder 2009-01-06 19:07:32 EST
I just know that it will have a ssf of 1 by default from my tests.  If you specify a maxssf of 0 with DIGEST-MD5 and it works, then your change should be fine.
Comment 5 Rich Megginson 2009-01-06 21:33:54 EST
Created attachment 328338 [details]
cvs commit log

Reviewed by: nkinder (Thanks!)
Fix Description: If using TLS/SSL, we don't need to use a sasl security layer, so just set the maxssf to 0.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Comment 6 Jenny Galipeau 2009-02-24 15:41:43 EST
fixed and being tested by server to server sasl automated acceptance tests.
Comment 7 Chandrasekar Kannan 2009-04-29 19:09:06 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.