[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: fixes for SASL KERBEROS_V4 mechanism (ITS#829)



At 01:28 PM 10/12/00 +0000, Karsten.Kuenne@desy.de wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>| Karsten,
>| | 
>| We had a bit of prior discussion regarding this issue.  In
>| particular, please review:
>|   http://www.openldap.org/lists/openldap-devel/200007/msg00031.html
>|   http://www.openldap.org/lists/openldap-devel/200007/msg00039.html
>| 
>| Basically, we suggest compiling Cyrus SASL with
>| KRB4_IGNORE_IP_ADDRESS.  This works fine unless you desire
>| to use security layers.
>| 
>
>I didn't see that, I'll give it a try. What will be the impact
>if I don't use security layers with SASL?

You only get the first part of:
  Simple Authentication and Security Layer

where Security Layer provides integrity and/or confidentiality
protection.

Given that SASL/KERBEROS_IV security layer is DES based, you don't
lose much.

>Which other protocol families does OpenLDAP support?

AF_INET, AF_INET6, and AF_LOCAL.

>Probably IPv6 which
>I can't test because Sol 7 doesn't have it. But, anyway, I'll recompile
>SASL as you suggested and see how this works.
>
>BTW: GSSAPI does NOT work with ldapi:/// (with and without my changes), it
>always ends up with ("-d -1" given):

That would be yet to be reported issue...