[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Disable GSSAPI confidentiality

To: Jeremiah Martell <inlovewithgod@gmail.com>
Subject: Re: Disable GSSAPI confidentiality
From: Dan White <dwhite@olp.net>
Date: Fri, 12 Dec 2008 11:11:39 -0600
Cc: OpenLDAP Software List <OpenLDAP-software@openldap.org>
In-reply-to: <233eb300812120818l6178f508l5ef853211e4b5e61@mail.gmail.com>
References: <233eb300812120818l6178f508l5ef853211e4b5e61@mail.gmail.com>
User-agent: Mozilla-Thunderbird 2.0.0.16 (X11/20080724)

Jeremiah Martell wrote:

Is there a way, when calling "ldap_sasl_interactive_bind_s", to tell
it that when it does LDAP+GSSAPI authentication, only use GSSAPI for
authentication, and not confidentiality?

In other words, just use GSSAPI to encrypt the authentication part,
but not all subsequent searches, etc.

Thanks,


Jeremiah,

You can use SASL security properties to accomplish that.

For instance:

dwhite@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net
SASL/GSSAPI authentication started
SASL username: dwhite@EXAMPLE.NET
SASL SSF: 56
SASL data security layer installed.
dn:uid=dwhite@example.net,ou=people,dc=example,dc=net

dwhite@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net -O maxssf=0
SASL/GSSAPI authentication started
SASL username: dwhite@EXAMPLE.NET
SASL SSF: 0
dn:uid=dwhite@example.net,ou=people,dc=example,dc=net

Programmatically, I think you would pass the string 'maxssf=0' within your call.

As for the authentication step, GSSAPI should be secured based on your ticket negotiation regardless of the SSF setting, I believe.

- Dan

Follow-Ups:
- Re: Disable GSSAPI confidentiality
  - From: Philip Guenther <guenther+ldapsoft@sendmail.com>

References:
- Disable GSSAPI confidentiality
  - From: "Jeremiah Martell" <inlovewithgod@gmail.com>

Prev by Date: Disable GSSAPI confidentiality
Next by Date: Re: Disable GSSAPI confidentiality
Index(es):
- Chronological
- Thread