Full_Name: Mike Becher Version: 2.4.16 or HEAD OS: Linux URL: ftp://ftp.openldap.org/incoming/mike-becher-090512.libraries-libldap.patch Submission from: (NULL) (84.150.169.165)

patch file name: mike-becher-090512.libraries-libldap-gssapi.1.patch patch subject: GSSAPI signing/encryption for unsuspectingly applications

ftp://ftp.openldap.org/incoming/mike-becher-090512.libraries-libldap.patch

This patch (see above) introduces a function hook and an additional ldap.conf or ldaprc option GSSAPI_TRY_GSSAPI_BIND_S_IN_SASL_INTERACTIVE_BIND_S which enables unsuspectingly applications to make use of GSSAPI based authentification, signing, and/or encryption. This is very useful if you are connected to MS Active Directory with LDAP server signing is required (means is switched on) and your software (like for example pam_ldap or nss_ldap) doesn't know about that requirement. Additionally if a user does not want use this feature s/he can it switch off on demand.

Excerpt from manual page enhancement: On technical view this (hook and option) enables call of ldap_gssapi_bind_s() at the beginning of ldap_sasl_interactive_bind_s(). If ldap_gssapi_bind_s() returns with LDAP_SUCCESS the SASL code of ldap_sasl_interactive_bind_s() will be skipped. In other case ldap_sasl_interactive_bind_s() will be executed. If this option is switch on and an application makes use of ldap_sasl_interactive_bind_s() but doesn't know anything about ldap_gssapi_bind_s() it is able to use GSSAPI signing and encryption.

NOTE(s): This patch makes patches of * ITS#6091: missing implementation of "switch off" functionality of GSSAPI OPTIONS * ITS#6092: correct string problem in guess_service_principal() * ITS#6093: correct hostname resolving problem in guess_service_principal() obsolete. Thanks to Hallvard B Furuseth for its comments to ITS#6092 which results in a rewrite of that code snipset.