Re: GSSAPI signing/encryption for unsuspectingly applications (its not a bug)
mikbec wrote:
Patch related to "(ITS#6110) GSSAPI signing/encryption for
unsuspectingly applications" is more an enhancement than a bug report.
That's fine, patches are supposed to be tracked in ITS anyway.
However, it seems to me that these patches are duplicating functionality
that's already provided by SASL/GSSAPI. On that basis I'm inclined to reject
them. I'm beginning to regret including the ldap_gssapi_bind_s() function as
well; that is totally nonstandard and duplicates functionality that has been
available in the standard API for over 8 years.
Please have a look at patch on
ftp://ftp.openldap.org/incoming/mike-becher-090512.libraries-libldap.patch
or ITS report on
http://www.openldap.org/its/index.cgi/Incoming?id=6110;selectid=6110
In short that patch:
1) adds call of ldap_gssapi_bind_s() at the beginning of
ldap_sasl_interactive_bind_s() which can be turn on or off by an GSSAPI
OPTION (manual update of ldap.conf (5) included) to provide GSSAPI
signing/encryption for applications that use (and only know)
ldap_sasl_interactive_bind_s(),
2) adds the missed implementation of "switch off" functionality of all
other GSSAPI OPTIONS.
3) corrects one string length problem in guess_service_principal() and
4) corrects one hostname resolving problem in guess_service_principal().
Sorry for that kind of announcement but I hope now it is on the right
mailing list.
best regards
Mike
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/