Re: GSSAPI signing/encryption for unsuspectingly applications (its not a bug)

[Howard Chu <hyc@symas.com>]

mikbec wrote:
> Howard Chu wrote:
> > mikbec wrote:
> > > Patch related to "(ITS#6110) GSSAPI signing/encryption for
> > > unsuspectingly applications" is more an enhancement than a bug report.
> >
> > That's fine, patches are supposed to be tracked in ITS anyway.
> >
> > However, it seems to me that these patches are duplicating functionality
> > that's already provided by SASL/GSSAPI. On that basis I'm inclined to
> You are right if you think that SASL with GSSAPI support should do that
> stuff.
> But firstly the SASL/GSSAPI code in openldap seems to support only the
> authentication part if you try to connect to something like an MS Active
> Directory Controller. After authentication is done successfully it seems
> so that integrity and confidential protection part via SASL/GSSAPI will
> be switched off.....hmmmmm.

I've seen this all work correctly in the past with AD, so either AD has 
changed recently, or your Kerberos configuration is wrong, or your Kerberos 
library is broken.

> Secondly it seems so that Cyrus SASL code does not support SSF larger
> than 56 for GSSAPI based signing/encryption (aka integrity/confidential

Also wrong, Cyrus SASL/GSSAPI is known to work with up to ssf=112.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/