[Date Prev][Date Next]
Re: GSSAPI signing/encryption for unsuspectingly applications (its not a bug)
Howard Chu wrote:
Patch related to "(ITS#6110) GSSAPI signing/encryption for
unsuspectingly applications" is more an enhancement than a bug report.
That's fine, patches are supposed to be tracked in ITS anyway.
However, it seems to me that these patches are duplicating functionality
that's already provided by SASL/GSSAPI. On that basis I'm inclined to
You are right if you think that SASL with GSSAPI support should do that
But firstly the SASL/GSSAPI code in openldap seems to support only the
authentication part if you try to connect to something like an MS Active
Directory Controller. After authentication is done successfully it seems
so that integrity and confidential protection part via SASL/GSSAPI will
be switched off.....hmmmmm.
I've seen this all work correctly in the past with AD, so either AD has
changed recently, or your Kerberos configuration is wrong, or your Kerberos
library is broken.
Secondly it seems so that Cyrus SASL code does not support SSF larger
than 56 for GSSAPI based signing/encryption (aka integrity/confidential
Also wrong, Cyrus SASL/GSSAPI is known to work with up to ssf=112.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/