Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide

Setting SASL Encryption Levels in Directory Server

Before configuring the SASL mechanism, you must specify whether you require encryption or not. Requirements for SASL encryption are set by the maximum and minimum Strength Security Factor (SSF).

The attributes dsSaslMinSSF(5dsat) and dsSaslMaxSSF(5dsat) represent the encryption key length, and they are stored in cn=SASL, cn=security, cn=config.

The server allows any level of encryption, including no encryption. This means that Directory Server accepts dsSaslMinSSF and dsSaslMaxSSF values greater than 256. However, no SASL mechanisms currently support an SSF greater than 128. Directory Server negotiates these values down to the highest SSF possible (128). Therefore, the highest actual SSF might be less than the configured maximum, depending on the underlying mechanisms available.

SASL security factor authentication depends two main items: the minimum and maximum factors requested by the server and client applications, and the available encryption mechanisms, which are provided by the underlying security components. In summary, the server and client attempt to use the highest available security factor that is less than or equal to the maximum factors set on both, but greater than or equal to the minimum factors on both.

The default minimum SASL security factor for Directory Server, dsSaslMinSSF, is 0, meaning no protection. The actual minimum depends on the client setting, unless you change the minimum for Directory Server. In practice, you should set the minimum to the lowest level that you actually want the server and client to use. If the server and client fail to negotiate a mechanism that meets the minimum requirements, the connection is not established.

ProcedureTo Require SASL Encryption

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. To require SASL encryption, set the dsSaslMinSSF value to the minimum encryption required.


    $ ldapmodify -h host -p port -D cn=admin,cn=Administrators,cn=config -w -
    Enter bind password:
    dn: cn=SASL, cn=security, cn=config
    changetype: modify
    replace: dsSaslMinSSF
    dsSaslMinSSF: 128
    ^D

ProcedureTo Disallow SASL Encryption

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. To disallow SASL encryption, set both the dsSaslMinSSF and dsSaslMaxSSF values to zero.


    $ ldapmodify -h host -p port -D cn=admin,cn=Administrators,cn=config -w -
    Enter bind password:
    dn: cn=SASL, cn=security, cn=config
    changetype: modify
    replace: dsSaslMinSSF
    dsSaslMinSSF: 0
    
    replace: dsSaslMaxSSF
    dsSaslMaxSSF: 0
    ^D