Michael B Allen wrote:
Anyway, I have GSS-SPNEGO almost working (only wrapping outgoing messages at the moment, unwrapping is tomorrow) but it required modifying libldap and liblber. I added an ldap_set_inspect_hdlr function that sets read/write callbacks. They're invoked in sockbuf.c:{ber_int_sb_read,ber_int_sb_write} if Sockbuf has a handler installed. The user must supply handler that read/write and "inspect" the buffers possibly writing alternative data (ie the gss_wrap'd data).
The modifications were pretty simple and clean. Is there a better way?
Assuming that OpenLDAP was the appropriate home for such code (which it is not) the correct approach would be to write a new Sockbuf handler and push it onto the existing stack of handlers. That's how both SASL and TLS are implemented. Mucking with sockbuf.c itself is definitely the wrong way. The whole point of the sockbuf infrastructure is that it allows arbitrary processing layers to be stacked without having to modify any core code.