[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSSAPI vs GSS-SPNEGO

To: Dan White <dwhite@cafedemocracy.org>
Subject: Re: GSSAPI vs GSS-SPNEGO
From: Brendan Kearney <bpk678@gmail.com>
Date: Sat, 27 Dec 2014 11:15:15 -0500
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:cc:date:in-reply-to:references :content-type:mime-version:content-transfer-encoding; bh=D1mksLDh361ioUSoeQ3a7n31kAzZDuNDtrIBzuqZnFU=; b=SzR+DuZ3vyosPLiHMhv3axhffBSxDagBN7XCQaIYBLVLl5iQSp8FCumYTkhLyEijx3 xXv88LQFPu5UtM6lzAduUvH/G+UX3c5XX1Wg1hvEelLQGADn8oszrRBiW26fRlvHbZva 5WqJsZemgzjTd5naY88M2XUaRobvWYaJ2qjgZDGod/u5gqT0hSxy2zwUHMYuQ1hU1gNO RQLMeZmSSYNJFmSjvfTInJCPc0AYGI1q4o3znggE+lteNdwH/7I1rkQXB/dgtOeAh/xv n5AktbHT8dCF/jEa6OP8e/nNeMt2ZNlA5sq+XDV5QLJV1OjgOdjQoRy/yI1HeEwQmalH C3qw==
In-reply-to: <20141226205306.GB3952@dan.olp.net>
References: <1419613817.27764.6.camel@desktop.bpk2.com> <20141226205306.GB3952@dan.olp.net>

On Fri, 2014-12-26 at 14:53 -0600, Dan White wrote:
> On 12/26/14 12:10 -0500, Brendan Kearney wrote:
> >i am in the process of updating all of my systems to fedora 20 from
> >fedora 16, and am using all the latest available builds for openldap,
> >cyrus-sasl and mit kerberos.  i have put everything together as i had on
> >fedora 16, and i am finding that the sasl instance is using
> >sasl/gss-spnego, and not sasl/gssapi like it did on the older version.
> >
> >i am not sure if i should be concerned about this, but it feels like i
> >should be.  i am not able to find anything that allow me to configure
> >things one way or another, so i can force the use of gssapi from
> >configs, it seems.
> >
> >can anyone point me in a direction about this, tell me if i should be
> >concerned, or if you might have come across this before what i should be
> >doing that i am not?
> 
> To limit the use of specific sasl mechanisms, configure a libsasl
> slapd.conf file which contains a 'mech_list' option explicitly listing the
> mechanisms (space separated) you wish to offer.
> 
> Consult the fedora documentation for both slapd and libsasl2 for the
> location to place the slapd.conf file in.
> 
> To obtain a list of advertised mechanisms, do:
> 
> ldapsearch -LLL -x -H ldap://ldap.example.org -s "base" -b "" supportedSASLMechanisms
> 
> You should also force your clients to use gssapi explicitly if that's your
> preferred mechanism. The OpenLDAP client utilities offer a '-Y' option for
> to do that.
> 

kudos and thanks to mr. white.  /etc/sasl2/slapd.conf containing
"mech_list: gssapi" did the trick.

having put this in brought to mind something i will be looking to do in
the near future, and i am now wondering if i am limiting myself in that
effort.

i want to use the "pass-through" auth mechanism with sasl, so that i
validate credentials against the kerberos database, and not have to
maintain passwords in multiple places.  right now, saslauthd is
configured and if i test with my id, i get OK/Success back.

it seems i need to add PLAIN to the "mech_list" along with maybe a
couple other directives for this to be enabled.  i have olcSaslSecProps
set to "noanonymous,noplain", so i am assuming i will need to remove the
"noplain".

being that this weakens a security posture (at least it looks to do so),
what can be done to mitigate the risk.  i would imagine tls is one step,
but would any other steps be necessary?  acls can help, too, but the
plain bind/auth would have already occurred.

Follow-Ups:
- Re: GSSAPI vs GSS-SPNEGO
  - From: Howard Chu <hyc@symas.com>

References:
- GSSAPI vs GSS-SPNEGO
  - From: Brendan Kearney <bpk678@gmail.com>
- Re: GSSAPI vs GSS-SPNEGO
  - From: Dan White <dwhite@cafedemocracy.org>

Prev by Date: Re: GSSAPI vs GSS-SPNEGO
Next by Date: Re: GSSAPI vs GSS-SPNEGO
Index(es):
- Chronological
- Thread