Bug 479077 - Server to Server SASL/DIGEST-MD5 not Supported over SSL/TLS
Summary: Server to Server SASL/DIGEST-MD5 not Supported over SSL/TLS
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: Security - SASL
Version: 8.1
Hardware: All
OS: Linux
high
high
Target Milestone: ---
: ---
Assignee: Rich Megginson
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 249650 FDS1.2.0
TreeView+ depends on / blocked
 
Reported: 2009-01-06 21:54 UTC by Jenny Severance
Modified: 2015-01-04 23:35 UTC (History)
2 users (show)

Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-04-29 23:09:06 UTC


Attachments (Terms of Use)
diffs (1.03 KB, patch)
2009-01-06 22:28 UTC, Rich Megginson
no flags Details | Diff
cvs commit log (163 bytes, text/plain)
2009-01-07 02:33 UTC, Rich Megginson
no flags Details

Description Jenny Severance 2009-01-06 21:54:38 UTC
Description of problem:
When configuring replication agreement to bind with SASL/DIGEST-MD5 over SSL or TLS - the following errors occurs and replication fails:

[06/Jan/2009:15:23:36 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-
MD5]: error 1 (Operations error) (sasl encryption not supported over ssl)
[06/Jan/2009:15:23:36 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-MD5]: error 1 (Op
erations error)
[06/Jan/2009:15:23:36 -0500] NSMMReplicationPlugin - agmt="cn=S1 to S2 MMR" (jennyv1:24214): Replication bind with DIGEST-MD5 auth failed: LDAP error 1 (Operation
s error) (sasl encryption not supported over ssl)
[06/Jan/2009:15:23:36 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-
MD5]: error 1 (Operations error) (sasl encryption not supported over ssl)
[06/Jan/2009:15:23:36 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-MD5]: error 1 (Op
erations error)
[06/Jan/2009:15:23:36 -0500] NSMMReplicationPlugin - agmt="cn=S1 to C1" (jennyv1:24216): Replication bind with DIGEST-MD5 auth failed: LDAP error 1 (Operations er
ror) (sasl encryption not supported over ssl)
[06/Jan/2009:15:23:37 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-
MD5]: error 1 (Operations error) (sasl encryption not supported over ssl)
[06/Jan/2009:15:23:37 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [cn=replication manager, cn=config] mech [DIGEST-MD5]: error 1 (Op
erations error)

Per Rich:
"looks like I need to turn off sasl layer encryption if using ssl"

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Set up replication with SASL/DIGEST-MD5 - SSL
2. View errors logs after initializing consumer
  
Actual results:
sasl encryption not supported over ssl errors

Expected results:
successful replication bind and successful replication.

Additional info:

Comment 1 Rich Megginson 2009-01-06 22:28:48 UTC
Created attachment 328326 [details]
diffs

Comment 2 Nathan Kinder 2009-01-06 22:37:24 UTC
With the change in comment #1, will DIGEST-MD5 work?  I think it will still fail since it DIGEST-MD5 won't meet the maxssf criteria (it has a ssf of 1 I believe).

Comment 3 Rich Megginson 2009-01-06 22:52:38 UTC
DIGEST-MD5 forces a minssf of 1?

Comment 4 Nathan Kinder 2009-01-07 00:07:32 UTC
I just know that it will have a ssf of 1 by default from my tests.  If you specify a maxssf of 0 with DIGEST-MD5 and it works, then your change should be fine.

Comment 5 Rich Megginson 2009-01-07 02:33:54 UTC
Created attachment 328338 [details]
cvs commit log

Reviewed by: nkinder (Thanks!)
Fix Description: If using TLS/SSL, we don't need to use a sasl security layer, so just set the maxssf to 0.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no

Comment 6 Jenny Severance 2009-02-24 20:41:43 UTC
fixed and being tested by server to server sasl automated acceptance tests.

Comment 7 Chandrasekar Kannan 2009-04-29 23:09:06 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html


Note You need to log in before you can comment on or make changes to this bug.