Hi folks,
I am binding against Active Directory with GSSAPI mech and would like to disable SASL integrity for debugging purposes with Wireshark. Unfortunately, this call fails:
char *secprops = "minssf=0,maxssf=0"; rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, secprops);
with:
Diagnostic message: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error) Result code: -2
I am used to this with Java's SASL client where I can set SASL QOP with auth, auth-int, auth-conf.
Is that not possible with OpenLDAP along with CyrusSASL?
For what it is worth, I am on FreeBSD 9.3 with latest OpenLDAP and CyrusSASL from the ports tree.
Regards,
Michael
On 04/15/15 21:10 +0000, Osipov, Michael wrote:
Hi folks,
I am binding against Active Directory with GSSAPI mech and would like to disable SASL integrity for debugging purposes with Wireshark. Unfortunately, this call fails:
char *secprops = "minssf=0,maxssf=0"; rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, secprops);
with:
Diagnostic message: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error) Result code: -2
This error is likely produced by your Kerberos library (whichever one Cyrus is compiled against), or perhaps with the way the security properties are passed down from OpenLDAP to Cyrus to Kerberos.
Setting a minssf should not be necessary. Do you also get this error with "maxssf=0"? "maxssf=1" may be a more workable option, since encryption is really what you want to turn off, not integrity.
On 04/15/15 21:10 +0000, Osipov, Michael wrote:
Hi folks,
I am binding against Active Directory with GSSAPI mech and would like to
disable SASL integrity for debugging purposes with Wireshark. Unfortunately, this call fails:
char *secprops = "minssf=0,maxssf=0"; rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, secprops);
with:
Diagnostic message: SASL(-1): generic failure: GSSAPI Error: A required
input parameter could not be read (Unknown error)
Result code: -2
This error is likely produced by your Kerberos library (whichever one Cyrus is compiled against), or perhaps with the way the security properties are passed down from OpenLDAP to Cyrus to Kerberos.
This error comes from MIT Kerberos which receives invalid config input from Cyrus SASL.
Setting a minssf should not be necessary. Do you also get this error with "maxssf=0"? "maxssf=1" may be a more workable option, since encryption is really what you want to turn off, not integrity.
Yes, the error remains the same. Maxssf=1 does not help because integrity won't be disabled. The encryption you are talking about is GSS confidentiality which won't be active anyway with maxssf=1.
I read SASL's code and it is somewhat confusing. You cannot turn off integrity. See here: https://github.com/Paaat/cyrus-sasl/blob/master/plugins/gssapi.c#L1585-L1597
/* Setup req_flags properly */ req_flags = GSS_C_INTEG_FLAG; if (params->props.max_ssf > params->external_ssf) { /* We are requesting a security layer */ req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; /* Any SSF bigger than 1 is confidentiality. */ /* Let's check if the client of the API requires confidentiality, and it wasn't already provided by an external layer */ if (params->props.max_ssf - params->external_ssf > 1) { /* We want to try for privacy */ req_flags |= GSS_C_CONF_FLAG; } }
This definitively deserves improvement, additionally, mutual auth should be enabled by default.
So, I wouldn't say that this is an error in OpenLDAP.
Michael
On 04/19/15 17:11 +0000, Osipov, Michael wrote:
On 04/15/15 21:10 +0000, Osipov, Michael wrote:
Hi folks,
I am binding against Active Directory with GSSAPI mech and would like to
disable SASL integrity for debugging purposes with Wireshark. Unfortunately, this call fails:
Setting a minssf should not be necessary. Do you also get this error with "maxssf=0"? "maxssf=1" may be a more workable option, since encryption is really what you want to turn off, not integrity.
Yes, the error remains the same. Maxssf=1 does not help because integrity won't be disabled. The encryption you are talking about is GSS confidentiality which won't be active anyway with maxssf=1.
I recall being able to capture GSSAPI traffic with wireshark several years ago. I wasn't doing it programatically though. I was either using maxssf=1 or maxssf=0, and was likely using Heimdal.
Dan White wrote:
On 04/19/15 17:11 +0000, Osipov, Michael wrote:
On 04/15/15 21:10 +0000, Osipov, Michael wrote:
Hi folks,
I am binding against Active Directory with GSSAPI mech and would
like to disable SASL integrity for debugging purposes with Wireshark. Unfortunately, this call fails:
Setting a minssf should not be necessary. Do you also get this error with "maxssf=0"? "maxssf=1" may be a more workable option, since encryption is really what you want to turn off, not integrity.
Yes, the error remains the same. Maxssf=1 does not help because integrity won't be disabled. The encryption you are talking about is GSS confidentiality which won't be active anyway with maxssf=1.
I recall being able to capture GSSAPI traffic with wireshark several years ago. I wasn't doing it programatically though. I was either using maxssf=1 or maxssf=0, and was likely using Heimdal.
If all you want is a readable packet log, you only need to disable confidentiality, not integrity.
Meanwhile, you can just use libldap's packet logging if you want a packet trace even with confidentiality.
Dan White wrote:
On 04/19/15 17:11 +0000, Osipov, Michael wrote:
On 04/15/15 21:10 +0000, Osipov, Michael wrote:
Hi folks,
I am binding against Active Directory with GSSAPI mech and would
like to disable SASL integrity for debugging purposes with Wireshark. Unfortunately, this call fails:
Setting a minssf should not be necessary. Do you also get this error with "maxssf=0"? "maxssf=1" may be a more workable option, since encryption is really what you want to turn off, not integrity.
Yes, the error remains the same. Maxssf=1 does not help because integrity won't be disabled. The encryption you are talking about is GSS confidentiality which won't be active anyway with maxssf=1.
I recall being able to capture GSSAPI traffic with wireshark several
years
ago. I wasn't doing it programatically though. I was either using
maxssf=1
or maxssf=0, and was likely using Heimdal.
If all you want is a readable packet log, you only need to disable confidentiality, not integrity.
This is what I did but having a look at the Wireshark output, you'll See SASL GSS-API Integrity with a hexdump of the data not a browseable Structure.
Meanwhile, you can just use libldap's packet logging if you want a packet trace even with confidentiality.
To be honest, the documentation is extremely short on that. I have tried debugging on ldapsearch first and did not find any enumeration of the debug levels. Only googling revealed level 7. After that, I tried to apply that to my code by reading ldapsearch.c/common.c it did not work. I ended by reverse engineering other source code and did
int debug_level = -1; rc = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &debug_level); ber_set_option(NULL, LBER_OPT_BER_DEBUG, &debug_level);
I am still not happy with that.
Michael
openldap-technical@openldap.org
-
Dan White -
Howard Chu -
Osipov, Michael