Now that Cyrus SASL 2.1.25 is out with channel binding support, we should be looking into adding the hooks needed to use it. I believe what we want to expose is an ldap_get_option(ld, LDAP_OPT_X_TLS_BINDING, &foo) to retrieve the tls-unique binding data from the underlying TLS session. Then we pass this into SASL using sasl_setprop(ctx, SASL_CHANNEL_BINDING, foo). The actual ldap_get_option() code will have to be added for each TLS implementation.
It seems pretty straightforward, am I missing anything?
Howard Chu wrote:
Now that Cyrus SASL 2.1.25 is out with channel binding support, we should be looking into adding the hooks needed to use it. I believe what we want to expose is an ldap_get_option(ld, LDAP_OPT_X_TLS_BINDING, &foo) to retrieve the tls-unique binding data from the underlying TLS session. Then we pass this into SASL using sasl_setprop(ctx, SASL_CHANNEL_BINDING, foo). The actual ldap_get_option() code will have to be added for each TLS implementation.
How can use it from python-ldap? python-ldap is mainly a wrapper around the OpenLDAP client libs. Everything which can be done within C has to be exposed in this wrapper module. I guess wrapper modules for other scripting languages have the same requirements.
SASL params (SASL_CB_* in sasl.h) are usually passed to cyrus-sasl by a call-back dictionary. But I guess it should be possible to set SASL_CHANNEL_BINDING via ldap_set_option().
Puuh, I'm not really familiar with the C APIs as I did not write the C parts of python-ldap...
Ciao, Michael.
Michael Ströder wrote:
Howard Chu wrote:
Now that Cyrus SASL 2.1.25 is out with channel binding support, we should be looking into adding the hooks needed to use it. I believe what we want to expose is an ldap_get_option(ld, LDAP_OPT_X_TLS_BINDING,&foo) to retrieve the tls-unique binding data from the underlying TLS session. Then we pass this into SASL using sasl_setprop(ctx, SASL_CHANNEL_BINDING, foo). The actual ldap_get_option() code will have to be added for each TLS implementation.
How can use it from python-ldap? python-ldap is mainly a wrapper around the OpenLDAP client libs. Everything which can be done within C has to be exposed in this wrapper module. I guess wrapper modules for other scripting languages have the same requirements.
Possibly it should just be set implicitly by the sasl_interactive_bind APIs, so clients don't need to do anything new at all. I was more concerned with how to implement this in slapd.
SASL params (SASL_CB_* in sasl.h) are usually passed to cyrus-sasl by a call-back dictionary. But I guess it should be possible to set SASL_CHANNEL_BINDING via ldap_set_option().
Puuh, I'm not really familiar with the C APIs as I did not write the C parts of python-ldap...
Ciao, Michael.
Howard Chu wrote:
Michael Ströder wrote:
Howard Chu wrote:
Now that Cyrus SASL 2.1.25 is out with channel binding support, we should be looking into adding the hooks needed to use it. I believe what we want to expose is an ldap_get_option(ld, LDAP_OPT_X_TLS_BINDING,&foo) to retrieve the tls-unique binding data from the underlying TLS session. Then we pass this into SASL using sasl_setprop(ctx, SASL_CHANNEL_BINDING, foo). The actual ldap_get_option() code will have to be added for each TLS implementation.
How can use it from python-ldap? python-ldap is mainly a wrapper around the OpenLDAP client libs. Everything which can be done within C has to be exposed in this wrapper module. I guess wrapper modules for other scripting languages have the same requirements.
Possibly it should just be set implicitly by the sasl_interactive_bind APIs, so clients don't need to do anything new at all.
Hmm, I'd like to have control over that within a Python application. Because there might be interop issues with broken servers where the client wants to turn it off or massage the tls-unique binding data or...
Ciao, Michael.
-
Howard Chu -
Michael Ströder