2:10 p.m.
Hi folks,
I am binding against Active Directory with GSSAPI mech and would like to disable SASL
integrity for debugging purposes with Wireshark. Unfortunately, this call fails:
char *secprops = "minssf=0,maxssf=0";
rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, secprops);
with:
Diagnostic message: SASL(-1): generic failure: GSSAPI Error: A required input parameter
could not be read (Unknown error)
Result code: -2
I am used to this with Java's SASL client where I can set SASL QOP with auth,
auth-int, auth-conf.
Is that not possible with OpenLDAP along with CyrusSASL?
For what it is worth, I am on FreeBSD 9.3 with latest OpenLDAP and CyrusSASL from the
ports tree.
Regards,
Michael
1:26 p.m.
On 04/15/15 21:10 +0000, Osipov, Michael wrote:
Hi folks,
I am binding against Active Directory with GSSAPI mech and would like to disable SASL
integrity for debugging purposes with Wireshark. Unfortunately, this call fails:
char *secprops = "minssf=0,maxssf=0";
rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, secprops);
with:
Diagnostic message: SASL(-1): generic failure: GSSAPI Error: A required input parameter
could not be read (Unknown error)
Result code: -2
This error is likely produced by your Kerberos library (whichever one Cyrus
is compiled against), or perhaps with the way the security properties are
passed down from OpenLDAP to Cyrus to Kerberos.
Setting a minssf should not be necessary. Do you also get this error with
"maxssf=0"? "maxssf=1" may be a more workable option, since encryption
is
really what you want to turn off, not integrity.
--
Dan White
10:11 a.m.
On 04/15/15 21:10 +0000, Osipov, Michael wrote:
>Hi folks,
>
>I am binding against Active Directory with GSSAPI mech and would like to
disable SASL integrity for debugging purposes with Wireshark.
Unfortunately, this call fails:
>
>char *secprops = "minssf=0,maxssf=0";
>rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, secprops);
>
>with:
>
>Diagnostic message: SASL(-1): generic failure: GSSAPI Error: A required
input parameter could not be read (Unknown error)
>Result code: -2
This error is likely produced by your Kerberos library (whichever one
Cyrus
is compiled against), or perhaps with the way the security properties are
passed down from OpenLDAP to Cyrus to Kerberos.
This error comes from MIT Kerberos which receives invalid config input from Cyrus SASL.
Setting a minssf should not be necessary. Do you also get this error
with
"maxssf=0"? "maxssf=1" may be a more workable option, since
encryption is
really what you want to turn off, not integrity.
Yes, the error remains the same. Maxssf=1 does not help because integrity won't be
disabled.
The encryption you are talking about is GSS confidentiality which won't be active
anyway with
maxssf=1.
I read SASL's code and it is somewhat confusing. You cannot turn off integrity. See
here:
https://github.com/Paaat/cyrus-sasl/blob/master/plugins/gssapi.c#L1585-L1597
/* Setup req_flags properly */
req_flags = GSS_C_INTEG_FLAG;
if (params->props.max_ssf > params->external_ssf) {
/* We are requesting a security layer */
req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
/* Any SSF bigger than 1 is confidentiality. */
/* Let's check if the client of the API requires confidentiality,
and it wasn't already provided by an external layer */
if (params->props.max_ssf - params->external_ssf > 1) {
/* We want to try for privacy */
req_flags |= GSS_C_CONF_FLAG;
}
}
This definitively deserves improvement, additionally, mutual auth should be enabled by
default.
So, I wouldn't say that this is an error in OpenLDAP.
Michael
1:07 p.m.
On 04/19/15 17:11 +0000, Osipov, Michael wrote:
> On 04/15/15 21:10 +0000, Osipov, Michael wrote:
> >Hi folks,
> >
> >I am binding against Active Directory with GSSAPI mech and would like to
> disable SASL integrity for debugging purposes with Wireshark.
> Unfortunately, this call fails:
> Setting a minssf should not be necessary. Do you also get this error with
> "maxssf=0"? "maxssf=1" may be a more workable option, since
encryption is
> really what you want to turn off, not integrity.
Yes, the error remains the same. Maxssf=1 does not help because integrity won't be
disabled.
The encryption you are talking about is GSS confidentiality which won't be active
anyway with
maxssf=1.
I recall being able to capture GSSAPI traffic with wireshark several years
ago. I wasn't doing it programatically though. I was either using maxssf=1
or maxssf=0, and was likely using Heimdal.
--
Dan White
1:19 p.m.
Dan White wrote:
On 04/19/15 17:11 +0000, Osipov, Michael wrote:
>> On 04/15/15 21:10 +0000, Osipov, Michael wrote:
>> >Hi folks,
>> >
>> >I am binding against Active Directory with GSSAPI mech and would
>> like to
>> disable SASL integrity for debugging purposes with Wireshark.
>> Unfortunately, this call fails:
>
>> Setting a minssf should not be necessary. Do you also get this error
>> with
>> "maxssf=0"? "maxssf=1" may be a more workable option, since
>> encryption is
>> really what you want to turn off, not integrity.
>
> Yes, the error remains the same. Maxssf=1 does not help because
> integrity won't be disabled.
> The encryption you are talking about is GSS confidentiality which
> won't be active anyway with
> maxssf=1.
I recall being able to capture GSSAPI traffic with wireshark several years
ago. I wasn't doing it programatically though. I was either using maxssf=1
or maxssf=0, and was likely using Heimdal.
If all you want is a readable packet log, you only need to disable
confidentiality, not integrity.
Meanwhile, you can just use libldap's packet logging if you want a
packet trace even with confidentiality.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12:50 a.m.
Dan White wrote:
> On 04/19/15 17:11 +0000, Osipov, Michael wrote:
>>> On 04/15/15 21:10 +0000, Osipov, Michael wrote:
>>> >Hi folks,
>>> >
>>> >I am binding against Active Directory with GSSAPI mech and would
>>> like to
>>> disable SASL integrity for debugging purposes with Wireshark.
>>> Unfortunately, this call fails:
>>
>>> Setting a minssf should not be necessary. Do you also get this error
>>> with
>>> "maxssf=0"? "maxssf=1" may be a more workable option,
since
>>> encryption is
>>> really what you want to turn off, not integrity.
>>
>> Yes, the error remains the same. Maxssf=1 does not help because
>> integrity won't be disabled.
>> The encryption you are talking about is GSS confidentiality which
>> won't be active anyway with
>> maxssf=1.
>
> I recall being able to capture GSSAPI traffic with wireshark several
years
> ago. I wasn't doing it programatically though. I was either using
maxssf=1
> or maxssf=0, and was likely using Heimdal.
>
If all you want is a readable packet log, you only need to disable
confidentiality, not integrity.
This is what I did but having a look at the Wireshark output, you'll
See SASL GSS-API Integrity with a hexdump of the data not a browseable
Structure.
Meanwhile, you can just use libldap's packet logging if you want
a
packet trace even with confidentiality.
To be honest, the documentation is extremely short on that.
I have tried debugging on ldapsearch first and did not find any enumeration
of the debug levels. Only googling revealed level 7. After that, I tried to
apply that to my code by reading ldapsearch.c/common.c it did not work.
I ended by reverse engineering other source code and did
int debug_level = -1;
rc = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &debug_level);
ber_set_option(NULL, LBER_OPT_BER_DEBUG, &debug_level);
I am still not happy with that.
Michael
2960
days inactive
2966
days old
openldap-technical@openldap.org
5 comments
3 participants
participants (3)
-
Dan White -
Howard Chu -
Osipov, Michael