Re: [ldapext] Kerberos Integrity behavior

["David Boreham" <david_list@boreham.org>]

> I've been asked a question about the correctness of a particular server's
> behavior with respect to LDAP messages and GSSAPI messages when Kerberos
> integrity and confidentiality is used.  Can anyone comment on this?
>
> A particular server appears to be sending both search response and
> completion messages (i.e. multiple LDAP messages) in a single GSSAPI
> message.  Other servers we have tested send a single LDAP message in each
> GSSAPI message.
>
> Are both of these behaviors correct?

I suspect so. I've implemented the server side of the SASL/GSSAPI
encryption for LDAP (I think you're really talking about SASL here, but one 
of the
few SASL mechanisms that supports encryption is GSSAPI).

In my implementation I allowed for all the unaligned PDU combinations
(two or more LDAP PDUs in a SASL PDU; one LDAP PDU that
is larger than a SASL PDU; LDAP PDUs that straddle the beginning
and end of the SASL PDU). When I read the RFCs, I concluded that
there was insufficient detail to completely guide an implementation,
so I opted to handle all the resonable cases I could think of.

Coalescing the search result and the search result done PDUs
into a single TCP segment is a common optimization in LDAP
servers: it improves performance quite a bit for searches that
only yield one entry. In a server with that optimization, I wouldn't
be surprised if it were to send the two PDUs in one SASL message,
especially if the SASL encryption was done as a layer underneath
the existing I/O.



_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext