[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Channel bindings

Howard Chu wrote:
> Now that Cyrus SASL 2.1.25 is out with channel binding support, we should be
> looking into adding the hooks needed to use it. I believe what we want to
> expose is an ldap_get_option(ld, LDAP_OPT_X_TLS_BINDING, &foo) to retrieve the
> tls-unique binding data from the underlying TLS session. Then we pass this
> into SASL using sasl_setprop(ctx, SASL_CHANNEL_BINDING, foo). The actual
> ldap_get_option() code will have to be added for each TLS implementation.

How can use it from python-ldap? python-ldap is mainly a wrapper around the
OpenLDAP client libs. Everything which can be done within C has to be exposed
in this wrapper module. I guess wrapper modules for other scripting languages
have the same requirements.

SASL params (SASL_CB_* in sasl.h) are usually passed to cyrus-sasl by a
call-back dictionary. But I guess it should be possible to set
SASL_CHANNEL_BINDING via ldap_set_option().

Puuh, I'm not really familiar with the C APIs as I did not write the C parts
of python-ldap...

Ciao, Michael.