Hi Andreas,
On Mon, Jul 25, 2022 at 6:00 PM Andreas Hasenack andreas@canonical.com wrote:
Hello,
openldap 2.5.12 cyrus-sasl 2.1.28 + sasl channel binding patch[1] + gss-spnego maxssf=0 patch[2] openldap linked with gnutls libsasl2-modules-gssapi-mit
I'm currently testing the patches[1][2] for sasl channel binding over GSSAPI + ssl/tls connection, and was wondering if I could get openldap to reject ldaps connections without sasl channel binding. Currently it seems to always accept it, but I can't be sure CB was even checked by the server by looking at logs (even with -d -1). I got windows 2016 AD to reject ldaps connections without CB over gssapi and gss-spnego, so the client part of openldap (ldapwhoami specifically) seems ok.
I looked at test 077[3] and it runs the server with this configuration: dn: cn=config changetype: modify replace: olcSaslCBinding olcSaslCBinding: ${acb}
Where `${acb}` loops over the 3 valid values of "none" "tls-unique" "tls-endpoint".
Then a simple connection with ldapwhoami is attempted, also looping -o SASL_CBINDING=$icb over those values.
I have seen the comment in that test script that it looks like tls-unique is broken when used with gnutls[4], and also a comment about MIT failing in another case[5].
When trying it manually, though, I could never get the client connection to be refused by the server. Before digging in deeper, let me just ask if my understanding is correct:
- server configured with:
dn: cn=config changetype: modify replace: olcSaslCBinding olcSaslCBinding: tls-endpoint
- client connecting to that server over ldaps://, with GSSAPI, and
with -o SASL_CBINDING=none
Should that client be rejected?
That's exactly case[5] you refer to above, the answer is as in the comment; it will be rejected with old MIT libs but not with newer ones nor it will be rejected with heimdal. To get the client rejected you need that both client and server set bindings and that those bindings don't match. Otherwise, to properly handle this case where the server sets binding and not the client, the returned flags could be checked for GSS_C_CHANNEL_BOUND_FLAG which was added in recent Heimdal/MIT libs, see links below. I guess new server option could be added to require CBT, implemented by checking this flag.
MIT and Heimdal related changes: https://github.com/krb5/krb5/pull/1047 https://github.com/heimdal/heimdal/pull/712