In >= f26 we can use minssf properly as now SASL/GSSAPI exposes levels based on algorithms not a constant 56.
more data from Alexander:
The way we are doing it is by using an inquiry of a mech used by GSSAPI if gss_inquire_sec_context_by_oid() is available. This is done transparently in the Cyrus SASL gssapi plugin code. Both requiressf and limitssf properties of the SASL context are calculated based on SASL_SSF and SASL_SSF_EXTERNAL properties set by the SASL application, namely by substracting SASL_SSF_EXTERNAL value out of SASL_SSF. Since 389-ds does not set SASL_SSF_EXTERNAL at all, it defaults to 0 and `nsslapd-minssf` is the sole factor here.
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.7
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
master:
Reverted by https://pagure.io/freeipa/c/294aa3a33375dc246b2a733fce3cbd09a39071a0
As (discussed)[https://github.com/freeipa/freeipa/pull/3105#issuecomment-488658315] I'll split the original PR in two and keep the part that configured the client to require a strong SSF.
realmd ticket: https://gitlab.freedesktop.org/realmd/realmd/-/issues/23/
@sbose implemented the necessary changes for realmd in https://gitlab.freedesktop.org/realmd/realmd/-/commit/b53c3e5fb5c90813ce1b47ddc570dd9c800232f9
Login to comment on this ticket.