Michael B Allen wrote:
Hello,
I've implemented SASL binds for GSSAPI and GSS-SPNEGO using a Sockbuf_IO_Desc handler instead of libsasl. Everything works great but I've noticed some behavior from the server I'm using that is not consistent with the available documentation (RFC 2222 and draft-ietf-sasl-gssapi-03 by Melnikov). Would anyone happen to know where I might ask about GSS-SPNEGO protocol details? Is there an IETF mailing list somewhere?
Have you already read RFC2478?
There are three issues:
- GSS-SPNEGO search replies are sealed even though the request was
not and a capture of another client talking to the same server shows replies as integ-only. A examination of the captures of my code and the other client shows the packets are identical (minus ber encoding differences and encrypted krb5 bits).
That would normally require the confidentiality flag to be set on the ContextFlags of the NegotiationToken.
- GSS-SPNEGO does not appear to use the additional bind exchange to
negotiate the security-layer bit mask like GSSAPI does.
- GSSAPI can use what is apparently the DN of an account called the
"authorization identity". The actual values for this field do not appear to be documented anywhere.
An authorization identity is a standard concept in SASL. It can be a simple username or a DN.
I don't suppose I should care since the code works fine but I do. Any pointers are appreciated.
Mike .