On Fri, Dec 12, 2008 at 1:51 PM, Philip Guenther guenther+ldapsoft@sendmail.com wrote:
On Fri, 12 Dec 2008, Dan White wrote:
Jeremiah Martell wrote:
Is there a way, when calling "ldap_sasl_interactive_bind_s", to tell it that when it does LDAP+GSSAPI authentication, only use GSSAPI for authentication, and not confidentiality?
In other words, just use GSSAPI to encrypt the authentication part, but not all subsequent searches, etc.
You can use SASL security properties to accomplish that.
...
dwhite@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net -O maxssf=0 SASL/GSSAPI authentication started SASL username: dwhite@EXAMPLE.NET SASL SSF: 0 dn:uid=dwhite@example.net,ou=people,dc=example,dc=net
Hmm, how about integrity checking? If you want/need to protect your connection from substitution attacks or TCP hijacking then you should specify a maxssf of one. The GSSAPI layer would then still carry a crypto hash of the data without encrypting it.
Philip Guenther
Interesting. I wanted to do this because Microsoft servers complain about redundant encryption.
If your GSSAPI provides confidentiality, and you're trying to use TLS, they barf out this error: Cannot start kerberos signing/sealing when using TLS/SSL
I just verified that if I set maxssf=0 like Dan said, it makes GSSAPI not do confidentiality, and then when I use TLS with GSSAPI, I don't get that error anymore.
I'll experiment with setting it to 1, but perhaps I'm already protected by using TLS from the things you mentioned?
Thanks,