[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Disable GSSAPI confidentiality

On Fri, 12 Dec 2008, Dan White wrote:
> Jeremiah Martell wrote:
> > Is there a way, when calling "ldap_sasl_interactive_bind_s", to tell
> > it that when it does LDAP+GSSAPI authentication, only use GSSAPI for
> > authentication, and not confidentiality?
> >
> > In other words, just use GSSAPI to encrypt the authentication part,
> > but not all subsequent searches, etc.
> You can use SASL security properties to accomplish that.
> dwhite@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net -O maxssf=0
> SASL/GSSAPI authentication started
> SASL username: dwhite@EXAMPLE.NET
> dn:uid=dwhite@example.net,ou=people,dc=example,dc=net

Hmm, how about integrity checking?  If you want/need to protect your 
connection from substitution attacks or TCP hijacking then you should 
specify a maxssf of one.  The GSSAPI layer would then still carry a crypto 
hash of the data without encrypting it.

Philip Guenther