[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSS-SPNEGO Protocol Details

Michael B Allen wrote:

I've implemented SASL binds for GSSAPI and GSS-SPNEGO using a
Sockbuf_IO_Desc handler instead of libsasl. Everything works great
but I've noticed some behavior from the server I'm using that
is not consistent with the available documentation (RFC 2222 and
draft-ietf-sasl-gssapi-03 by Melnikov). Would anyone happen to know
where I might ask about GSS-SPNEGO protocol details? Is there an IETF
mailing list somewhere?

Have you already read RFC2478?

There are three issues:

  1) GSS-SPNEGO search replies are sealed even though the request was
  not and a capture of another client talking to the same server shows
  replies as integ-only. A examination of the captures of my code and
  the other client shows the packets are identical (minus ber encoding
  differences and encrypted krb5 bits).

That would normally require the confidentiality flag to be set on the ContextFlags of the NegotiationToken.

2) GSS-SPNEGO does not appear to use the additional bind exchange to negotiate the security-layer bit mask like GSSAPI does.

  3) GSSAPI can use what is apparently the DN of an account called the
  "authorization identity". The actual values for this field do not
  appear to be documented anywhere.

An authorization identity is a standard concept in SASL. It can be a simple username or a DN.

I don't suppose I should care since the code works fine but I do. Any pointers are appreciated.


  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/