[Date Prev][Date Next]
Re: Disable GSSAPI confidentiality
On Fri, 12 Dec 2008, Dan White wrote:
> Jeremiah Martell wrote:
> > Is there a way, when calling "ldap_sasl_interactive_bind_s", to tell
> > it that when it does LDAP+GSSAPI authentication, only use GSSAPI for
> > authentication, and not confidentiality?
> > In other words, just use GSSAPI to encrypt the authentication part,
> > but not all subsequent searches, etc.
> You can use SASL security properties to accomplish that.
> dwhite@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net -O maxssf=0
> SASL/GSSAPI authentication started
> SASL username: dwhite@EXAMPLE.NET
> SASL SSF: 0
Hmm, how about integrity checking? If you want/need to protect your
connection from substitution attacks or TCP hijacking then you should
specify a maxssf of one. The GSSAPI layer would then still carry a crypto
hash of the data without encrypting it.