On Fri, 12 Dec 2008, Dan White wrote: > Jeremiah Martell wrote: > > Is there a way, when calling "ldap_sasl_interactive_bind_s", to tell > > it that when it does LDAP+GSSAPI authentication, only use GSSAPI for > > authentication, and not confidentiality? > > > > In other words, just use GSSAPI to encrypt the authentication part, > > but not all subsequent searches, etc. > > You can use SASL security properties to accomplish that. ... > dwh...@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net -O maxssf=0 > SASL/GSSAPI authentication started > SASL username: [email protected] > SASL SSF: 0 > dn:[email protected],ou=people,dc=example,dc=net
Hmm, how about integrity checking? If you want/need to protect your connection from substitution attacks or TCP hijacking then you should specify a maxssf of one. The GSSAPI layer would then still carry a crypto hash of the data without encrypting it. Philip Guenther
