Re: [ldapext] Kerberos Integrity behavior

[Alexey Melnikov <Alexey.Melnikov@isode.com>]

David Boreham wrote:

> > I've been asked a question about the correctness of a particular 
> > server's
> > behavior with respect to LDAP messages and GSSAPI messages when Kerberos
> > integrity and confidentiality is used.  Can anyone comment on this?
> >
> > A particular server appears to be sending both search response and
> > completion messages (i.e. multiple LDAP messages) in a single GSSAPI
> > message.  Other servers we have tested send a single LDAP message in 
> > each
> > GSSAPI message.
> >
> > Are both of these behaviors correct?
Yes.

> I suspect so. I've implemented the server side of the SASL/GSSAPI
> encryption for LDAP (I think you're really talking about SASL here, 
> but one of the
> few SASL mechanisms that supports encryption is GSSAPI). 

> In my implementation I allowed for all the unaligned PDU combinations
> (two or more LDAP PDUs in a SASL PDU; one LDAP PDU that
> is larger than a SASL PDU; LDAP PDUs that straddle the beginning
> and end of the SASL PDU).

Yes, SASL security layer works in the same way as TCP packet 
fragmentation does. So all the mentioned cases has to be handled.

> When I read the RFCs, I concluded that
> there was insufficient detail to completely guide an implementation,
> so I opted to handle all the resonable cases I could think of.

I am wondering if RFC 2222bis (SASL) has to be clarified in this area?

> Coalescing the search result and the search result done PDUs
> into a single TCP segment is a common optimization in LDAP
> servers: it improves performance quite a bit for searches that
> only yield one entry. In a server with that optimization, I wouldn't
> be surprised if it were to send the two PDUs in one SASL message,
> especially if the SASL encryption was done as a layer underneath
> the existing I/O.

Alexey


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext