On Fri, 12 Dec 2008, Dan White wrote:
Jeremiah Martell wrote:
Is there a way, when calling "ldap_sasl_interactive_bind_s", to tell it that when it does LDAP+GSSAPI authentication, only use GSSAPI for authentication, and not confidentiality?
In other words, just use GSSAPI to encrypt the authentication part, but not all subsequent searches, etc.
You can use SASL security properties to accomplish that.
...
dwhite@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net -O maxssf=0 SASL/GSSAPI authentication started SASL username: dwhite@EXAMPLE.NET SASL SSF: 0 dn:uid=dwhite@example.net,ou=people,dc=example,dc=net
Hmm, how about integrity checking? If you want/need to protect your connection from substitution attacks or TCP hijacking then you should specify a maxssf of one. The GSSAPI layer would then still carry a crypto hash of the data without encrypting it.
Philip Guenther