Jeremiah Martell wrote:
Is there a way, when calling "ldap_sasl_interactive_bind_s", to tell
it that when it does LDAP+GSSAPI authentication, only use GSSAPI for
authentication, and not confidentiality?
In other words, just use GSSAPI to encrypt the authentication part,
but not all subsequent searches, etc.
Thanks,
Jeremiah,
You can use SASL security properties to accomplish that.
For instance:
dwh...@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
dn:[email protected],ou=people,dc=example,dc=net
dwh...@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net -O maxssf=0
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 0
dn:[email protected],ou=people,dc=example,dc=net
Programmatically, I think you would pass the string 'maxssf=0' within
your call.
As for the authentication step, GSSAPI should be secured based on your
ticket negotiation regardless of the SSF setting, I believe.
- Dan
