Jeremiah Martell wrote:
Is there a way, when calling "ldap_sasl_interactive_bind_s", to tell it that when it does LDAP+GSSAPI authentication, only use GSSAPI for authentication, and not confidentiality?
In other words, just use GSSAPI to encrypt the authentication part, but not all subsequent searches, etc.
Thanks,
Jeremiah,
You can use SASL security properties to accomplish that.
For instance:
dwhite@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net SASL/GSSAPI authentication started SASL username: dwhite@EXAMPLE.NET SASL SSF: 56 SASL data security layer installed. dn:uid=dwhite@example.net,ou=people,dc=example,dc=net
dwhite@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net -O maxssf=0 SASL/GSSAPI authentication started SASL username: dwhite@EXAMPLE.NET SASL SSF: 0 dn:uid=dwhite@example.net,ou=people,dc=example,dc=net
Programmatically, I think you would pass the string 'maxssf=0' within your call.
As for the authentication step, GSSAPI should be secured based on your ticket negotiation regardless of the SSF setting, I believe.
- Dan