[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL_SUCCESS_DATA should be set (ITS#2202)



I would add that it appears that Windows 2000 is in violation of
the SASL GSSAPI profile (I-D draft-ietf-cat-sasl-gssapi-05.txt).

According to this, no GSS-API mechanism is excluded from the
additional token in which the security layer and authorization
identity may be negotiated. (Although SPNEGO provides for 
negotiation of the security layer, it does not allow one to
specify an authorization identity separate from the authentication
identity.)

I don't believe it will be possible to make the server-side
SASL support both compliant and non-compliant clients.

-- Luke

>From: "Howard Chu" <hyc@highlandsun.com>
>Subject: RE: SASL_SUCCESS_DATA should be set (ITS#2202)
>To: <lukeh@padl.com>, <openldap-its@OpenLDAP.org>
>Date: Tue, 26 Nov 2002 17:11:24 -0800
>
>Have you already verified that this works? Since I have no GSS-SPNEGO mech to
>test with, I can't check it myself. Why does slapd need to be changed, if
>slapd doesn't use a mechanism with server-send-last functionality? Or are you
>testing a GSS-SPNEGO implementation for slapd? (As opposed to testing the
>client side, using a MS AD as the server.)
>
>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support
>
>> -----Original Message-----
>> From: owner-openldap-bugs@OpenLDAP.org
>> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of lukeh@padl.com
>> Sent: Tuesday, November 26, 2002 2:39 AM
>> To: openldap-its@OpenLDAP.org
>> Subject: SASL_SUCCESS_DATA should be set (ITS#2202)
>>
>>
>> Full_Name: Luke Howard
>> Version: HEAD
>> OS: Linux
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (165.228.130.11)
>>
>>
>> In servers/slapd/sasl.c, when calling sasl_server_new(), you
>> should pass
>> SASL_SUCCESS_DATA as the second-last argument.
>>
>> Why? Some SASL mechanisms appear to send a final response
>> with the last token.
>> For example, Microsoft's GSS-SPNEGO mechanism appears not to
>> do the SASL SSF
>> negotiation, and so the final SPNEGO "accept completed" token
>> is returned in a
>> successful LDAP BindResponse PDU.
>>
>>
>>
>>
>

--
Luke Howard | PADL Software Pty Ltd | www.padl.com