https://bugs.openldap.org/show_bug.cgi?id=9189
Bug ID: 9189 Summary: Add GSSAPI channel-bindings support Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: iboukris@gmail.com Target Milestone: ---
Recently MS has announce they plan to enforce channel-bindings for LDAP over TLS (ADV190023).
To support it on client side, we need to pass "tls-endpoint" bindings (RFC 5929) to the SASL plugin, and make use of that in GSSAPI.
See also: https://github.com/cyrusimap/cyrus-sasl/pull/601
https://bugs.openldap.org/show_bug.cgi?id=9189
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.5.0
--- Comment #1 from Quanah Gibson-Mount quanah@openldap.org --- Tentatively marking for the 2.5 release series.
Isaac expects to follow up with a patch for this, so leaving all other state bits unchanged for now.
https://bugs.openldap.org/show_bug.cgi?id=9189
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |TEST
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- Commits: • 3cd50fa8 by Isaac Boukris at 2020-04-23T21:00:39+02:00 ITS#9189 rework sasl-cbinding support
Add LDAP_OPT_X_SASL_CBINDING option to define the binding type to use, defaults to "none".
Add "tls-endpoint" binding type implementing "tls-server-end-point" from RCF 5929, which is compatible with Windows.
Fix "tls-unique" to include the prefix in the bindings as per RFC 5056.
• 7b0017ad by Isaac Boukris at 2020-04-23T21:00:39+02:00 ITS#9189 add channel-bindings tests
https://bugs.openldap.org/show_bug.cgi?id=9189
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CONFIRMED Resolution|TEST |--- Ever confirmed|0 |1
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- Hi Isaac,
Actually, I need you to provide the appropriate IPR notice or I'll need to back this out. Please see:
https://www.openldap.org/devel/contributing.html#notice
https://bugs.openldap.org/show_bug.cgi?id=9189
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |OL_2_5_REQ
https://bugs.openldap.org/show_bug.cgi?id=9189
--- Comment #4 from Isaac Boukris iboukris@gmail.com --- (In reply to Quanah Gibson-Mount from comment #3)
Hi Isaac,
Actually, I need you to provide the appropriate IPR notice or I'll need to back this out. Please see:
Hi Quanah, I'm looking into it.
https://bugs.openldap.org/show_bug.cgi?id=9189
--- Comment #5 from Isaac Boukris iboukris@gmail.com --- IPR Notice:
The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Red Hat, Inc. Red Hat, Inc. has not assigned rights and/or interest in this work to any party. I, Isaac Boukris am authorized by Red Hat, Inc., my employer, to release this work under the following terms.
Red Hat, Inc. hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.
https://bugs.openldap.org/show_bug.cgi?id=9189
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Keywords|OL_2_5_REQ | Resolution|--- |TEST
--- Comment #6 from Quanah Gibson-Mount quanah@openldap.org --- Great, tyvm!
https://bugs.openldap.org/show_bug.cgi?id=9189
--- Comment #7 from Quanah Gibson-Mount quanah@openldap.org --- Commits: • 4cac398b by Isaac Boukris at 2020-04-23T22:28:51+00:00 ITS#9189 - initialize ldo_sasl_cbinding in LDAP_LDO_SASL_NULLARG
https://bugs.openldap.org/show_bug.cgi?id=9189
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED Resolution|TEST |FIXED
https://bugs.openldap.org/show_bug.cgi?id=9189
--- Comment #8 from dpa-openldap@aegee.org dpa-openldap@aegee.org --- At https://github.com/cyrusimap/cyrus-sasl/issues/637 I objected how the interoperability is achieved. RFC 4752 says the GSSAPI SASL mechanism offers no Channel binding. Users of Cyrus SASL, if utilize the API correct, shall be able to offer the SASL mechanisms GS2-KRB5, GS2-KRB5-PLUS and GSSAPI (per RFC 4752 without CB) at the same time. With the adjustments to libsasl/plugins/gssapi.c to get compatible with MS-LDAP-over-TLS, the libsasl2 users are now incompatible with the remaining GSSAPI clients.
https://bugs.openldap.org/show_bug.cgi?id=9189
--- Comment #9 from Quanah Gibson-Mount quanah@openldap.org --- head:
• 76947f26 by Ondřej Kuzník at 2022-02-14T20:32:29+00:00 ITS#9189 Fix typo
https://bugs.openldap.org/show_bug.cgi?id=9189
--- Comment #10 from Quanah Gibson-Mount quanah@openldap.org --- RE26:
• 7dd370aa by Ondřej Kuzník at 2022-02-18T23:19:01+00:00 ITS#9189 Fix typo
https://bugs.openldap.org/show_bug.cgi?id=9189
--- Comment #11 from Quanah Gibson-Mount quanah@openldap.org --- RE25:
• 74811fb4 by Ondřej Kuzník at 2022-02-18T23:20:11+00:00 ITS#9189 Fix typo
-
openldap-its@openldap.org