[Date Prev][Date Next] [Chronological] [Thread] [Top]

GSS-SPNEGO Protocol Details

To: openldap-devel@openldap.org
Subject: GSS-SPNEGO Protocol Details
From: Michael B Allen <mba2000@ioplex.com>
Date: Mon, 29 Jan 2007 23:18:17 -0500

Hello,

I've implemented SASL binds for GSSAPI and GSS-SPNEGO using a
Sockbuf_IO_Desc handler instead of libsasl. Everything works great
but I've noticed some behavior from the server I'm using that
is not consistent with the available documentation (RFC 2222 and
draft-ietf-sasl-gssapi-03 by Melnikov). Would anyone happen to know
where I might ask about GSS-SPNEGO protocol details? Is there an IETF
mailing list somewhere?

There are three issues:

  1) GSS-SPNEGO search replies are sealed even though the request was
  not and a capture of another client talking to the same server shows
  replies as integ-only. A examination of the captures of my code and
  the other client shows the packets are identical (minus ber encoding
  differences and encrypted krb5 bits).

  2) GSS-SPNEGO does not appear to use the additional bind exchange to
  negotiate the security-layer bit mask like GSSAPI does.

  3) GSSAPI can use what is apparently the DN of an account called the
  "authorization identity". The actual values for this field do not
  appear to be documented anywhere.

I don't suppose I should care since the code works fine but I do. Any
pointers are appreciated.

Mike

Follow-Ups:
- Re: GSS-SPNEGO Protocol Details
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: commit: ldap/servers/slapd schema_init.c
Next by Date: Re: GSS-SPNEGO Protocol Details
Index(es):
- Chronological
- Thread