[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: How to disable SSF (integrity) on GSSAPI mech?

To: Dan White <dwhite@cafedemocracy.org>
Subject: RE: How to disable SSF (integrity) on GSSAPI mech?
From: "Osipov, Michael" <michael.osipov@siemens.com>
Date: Tue, 21 Apr 2015 07:50:56 +0000
Accept-language: de-DE, en-US
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-language: de-DE
In-reply-to: <55355F6E.9060304@symas.com>
References: <68644224DA0DE64CA5A49838ED219A0425A4769D@DEFTHW99EJ5MSX.ww902.siemens.net> <20150417202600.GA3803@dan.olp.net> <68644224DA0DE64CA5A49838ED219A0425A4E344@DEFTHW99EJ5MSX.ww902.siemens.net> <20150420200735.GH3802@dan.olp.net> <55355F6E.9060304@symas.com>
Thread-index: AdB3wIpFgi17sq0bTSmpPmB0Xx6M/QBe2p6AAGGj13AANJdQAAAAbpEAABxQrjA=
Thread-topic: How to disable SSF (integrity) on GSSAPI mech?

> Dan White wrote:
> > On 04/19/15 17:11 +0000, Osipov, Michael wrote:
> >>> On 04/15/15 21:10 +0000, Osipov, Michael wrote:
> >>> >Hi folks,
> >>> >
> >>> >I am binding against Active Directory with GSSAPI mech and would
> >>> like to
> >>> disable SASL integrity for debugging purposes with Wireshark.
> >>> Unfortunately, this call fails:
> >>
> >>> Setting a minssf should not be necessary. Do you also get this error
> >>> with
> >>> "maxssf=0"? "maxssf=1" may be a more workable option, since
> >>> encryption is
> >>> really what you want to turn off, not integrity.
> >>
> >> Yes, the error remains the same. Maxssf=1 does not help because
> >> integrity won't be disabled.
> >> The encryption you are talking about is GSS confidentiality which
> >> won't be active anyway with
> >> maxssf=1.
> >
> > I recall being able to capture GSSAPI traffic with wireshark several
> years
> > ago. I wasn't doing it programatically though. I was either using
> maxssf=1
> > or maxssf=0, and was likely using Heimdal.
> >
> If all you want is a readable packet log, you only need to disable
> confidentiality, not integrity.

This is what I did but having a look at the Wireshark output, you'll
See SASL GSS-API Integrity with a hexdump of the data not a browseable
Structure. 
 
> Meanwhile, you can just use libldap's packet logging if you want a
> packet trace even with confidentiality.

To be honest, the documentation is extremely short on that.
I have tried debugging on ldapsearch first and did not find any enumeration
of the debug levels. Only googling revealed level 7. After that, I tried to
apply that to my code by reading ldapsearch.c/common.c it did not work.
I ended by reverse engineering other source code and did

int debug_level = -1;
rc = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &debug_level);
ber_set_option(NULL, LBER_OPT_BER_DEBUG, &debug_level);

I am still not happy with that.

Michael

References:
- How to disable SSF (integrity) on GSSAPI mech?
  - From: "Osipov, Michael" <michael.osipov@siemens.com>
- Re: How to disable SSF (integrity) on GSSAPI mech?
  - From: Dan White <dwhite@cafedemocracy.org>
- RE: How to disable SSF (integrity) on GSSAPI mech?
  - From: "Osipov, Michael" <michael.osipov@siemens.com>
- Re: How to disable SSF (integrity) on GSSAPI mech?
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: How to disable SSF (integrity) on GSSAPI mech?
  - From: Howard Chu <hyc@symas.com>

Prev by Date: LMDB space amplification
Next by Date: R: Antw: Re: Elapsed Time logging
Index(es):
- Chronological
- Thread