On Fri, Dec 12, 2008 at 1:51 PM, Philip Guenther <[email protected]> wrote: > On Fri, 12 Dec 2008, Dan White wrote: >> Jeremiah Martell wrote: >> > Is there a way, when calling "ldap_sasl_interactive_bind_s", to tell >> > it that when it does LDAP+GSSAPI authentication, only use GSSAPI for >> > authentication, and not confidentiality? >> > >> > In other words, just use GSSAPI to encrypt the authentication part, >> > but not all subsequent searches, etc. >> >> You can use SASL security properties to accomplish that. > ... >> dwh...@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net -O maxssf=0 >> SASL/GSSAPI authentication started >> SASL username: [email protected] >> SASL SSF: 0 >> dn:[email protected],ou=people,dc=example,dc=net > > Hmm, how about integrity checking? If you want/need to protect your > connection from substitution attacks or TCP hijacking then you should > specify a maxssf of one. The GSSAPI layer would then still carry a crypto > hash of the data without encrypting it. > > > Philip Guenther >
Interesting. I wanted to do this because Microsoft servers complain about redundant encryption. If your GSSAPI provides confidentiality, and you're trying to use TLS, they barf out this error: Cannot start kerberos signing/sealing when using TLS/SSL I just verified that if I set maxssf=0 like Dan said, it makes GSSAPI not do confidentiality, and then when I use TLS with GSSAPI, I don't get that error anymore. I'll experiment with setting it to 1, but perhaps I'm already protected by using TLS from the things you mentioned? Thanks, -- - Jeremiah Martell http://inlovewithGod.com
