OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/6110
Full headers

From: mikbec@web.de
Subject: GSSAPI signing/encryption for unsuspectingly applications
Compose comment
Download message
State:
0 replies:
0 followups:

Major security issue: yes  no

Notes:

Notification:


Date: Tue, 12 May 2009 20:39:11 +0000
From: mikbec@web.de
To: openldap-its@OpenLDAP.org
Subject: GSSAPI signing/encryption for unsuspectingly applications
Full_Name: Mike Becher
Version: 2.4.16 or HEAD
OS: Linux
URL: ftp://ftp.openldap.org/incoming/mike-becher-090512.libraries-libldap.patch
Submission from: (NULL) (84.150.169.165)


patch file name: mike-becher-090512.libraries-libldap-gssapi.1.patch
patch subject: GSSAPI signing/encryption for unsuspectingly applications

ftp://ftp.openldap.org/incoming/mike-becher-090512.libraries-libldap.patch

This patch (see above) introduces a function hook and an additional ldap.conf
or ldaprc option GSSAPI_TRY_GSSAPI_BIND_S_IN_SASL_INTERACTIVE_BIND_S which
enables unsuspectingly applications to make use of GSSAPI  based
authentification, signing, and/or encryption.
This is very useful if you are connected to MS Active Directory with
LDAP server signing is required (means is switched on) and your software
(like for example pam_ldap or nss_ldap) doesn't know about that requirement.
Additionally if a user does not want use this feature s/he can it switch off
on demand.

Excerpt from manual page enhancement:
On technical view this (hook and option) enables call of ldap_gssapi_bind_s()
at the beginning of ldap_sasl_interactive_bind_s(). If ldap_gssapi_bind_s()
returns with LDAP_SUCCESS the SASL code of ldap_sasl_interactive_bind_s()
will be skipped. In other case ldap_sasl_interactive_bind_s() will be
executed.  If this option is switch on and  an  application  makes use
of ldap_sasl_interactive_bind_s() but doesn't know anything about
ldap_gssapi_bind_s() it is able to use GSSAPI signing and encryption.

NOTE(s):
This patch makes patches of
 * ITS#6091: missing implementation of "switch off" functionality of GSSAPI
OPTIONS
 * ITS#6092: correct string problem in guess_service_principal()
 * ITS#6093: correct hostname resolving problem in guess_service_principal()
obsolete.
Thanks to Hallvard B Furuseth for its comments to ITS#6092 which
results in a rewrite of that code snipset.
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org