On 04/15/15 21:10 +0000, Osipov, Michael wrote:
Hi folks,
I am binding against Active Directory with GSSAPI mech and would like to
disable SASL integrity for debugging purposes with Wireshark. Unfortunately, this call fails:
char *secprops = "minssf=0,maxssf=0"; rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, secprops);
with:
Diagnostic message: SASL(-1): generic failure: GSSAPI Error: A required
input parameter could not be read (Unknown error)
Result code: -2
This error is likely produced by your Kerberos library (whichever one Cyrus is compiled against), or perhaps with the way the security properties are passed down from OpenLDAP to Cyrus to Kerberos.
This error comes from MIT Kerberos which receives invalid config input from Cyrus SASL.
Setting a minssf should not be necessary. Do you also get this error with "maxssf=0"? "maxssf=1" may be a more workable option, since encryption is really what you want to turn off, not integrity.
Yes, the error remains the same. Maxssf=1 does not help because integrity won't be disabled. The encryption you are talking about is GSS confidentiality which won't be active anyway with maxssf=1.
I read SASL's code and it is somewhat confusing. You cannot turn off integrity. See here: https://github.com/Paaat/cyrus-sasl/blob/master/plugins/gssapi.c#L1585-L1597
/* Setup req_flags properly */ req_flags = GSS_C_INTEG_FLAG; if (params->props.max_ssf > params->external_ssf) { /* We are requesting a security layer */ req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; /* Any SSF bigger than 1 is confidentiality. */ /* Let's check if the client of the API requires confidentiality, and it wasn't already provided by an external layer */ if (params->props.max_ssf - params->external_ssf > 1) { /* We want to try for privacy */ req_flags |= GSS_C_CONF_FLAG; } }
This definitively deserves improvement, additionally, mutual auth should be enabled by default.
So, I wouldn't say that this is an error in OpenLDAP.
Michael