[Date Prev][Date Next]
Re: GSS-SPNEGO Protocol Details
Michael B Allen wrote:
I've implemented SASL binds for GSSAPI and GSS-SPNEGO using a
Sockbuf_IO_Desc handler instead of libsasl. Everything works great
but I've noticed some behavior from the server I'm using that
is not consistent with the available documentation (RFC 2222 and
draft-ietf-sasl-gssapi-03 by Melnikov). Would anyone happen to know
where I might ask about GSS-SPNEGO protocol details? Is there an IETF
mailing list somewhere?
Have you already read RFC2478?
There are three issues:
1) GSS-SPNEGO search replies are sealed even though the request was
not and a capture of another client talking to the same server shows
replies as integ-only. A examination of the captures of my code and
the other client shows the packets are identical (minus ber encoding
differences and encrypted krb5 bits).
That would normally require the confidentiality flag to be set on the
ContextFlags of the NegotiationToken.
2) GSS-SPNEGO does not appear to use the additional bind exchange to
negotiate the security-layer bit mask like GSSAPI does.
3) GSSAPI can use what is apparently the DN of an account called the
"authorization identity". The actual values for this field do not
appear to be documented anywhere.
An authorization identity is a standard concept in SASL. It can be a simple
username or a DN.
I don't suppose I should care since the code works fine but I do. Any
pointers are appreciated.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/