mikbec wrote:
Howard Chu wrote:
mikbec wrote:
Patch related to "(ITS#6110) GSSAPI signing/encryption for unsuspectingly applications" is more an enhancement than a bug report.
That's fine, patches are supposed to be tracked in ITS anyway.
However, it seems to me that these patches are duplicating functionality that's already provided by SASL/GSSAPI. On that basis I'm inclined to
You are right if you think that SASL with GSSAPI support should do that stuff. But firstly the SASL/GSSAPI code in openldap seems to support only the authentication part if you try to connect to something like an MS Active Directory Controller. After authentication is done successfully it seems so that integrity and confidential protection part via SASL/GSSAPI will be switched off.....hmmmmm.
I've seen this all work correctly in the past with AD, so either AD has changed recently, or your Kerberos configuration is wrong, or your Kerberos library is broken.
Secondly it seems so that Cyrus SASL code does not support SSF larger than 56 for GSSAPI based signing/encryption (aka integrity/confidential
Also wrong, Cyrus SASL/GSSAPI is known to work with up to ssf=112.