Dan White wrote:
On 04/19/15 17:11 +0000, Osipov, Michael wrote:
On 04/15/15 21:10 +0000, Osipov, Michael wrote:
>Hi folks,
>
>I am binding against Active Directory with GSSAPI mech and would
like to
disable SASL integrity for debugging purposes with Wireshark.
Unfortunately, this call fails:
Setting a minssf should not be necessary. Do you also get this error
with
"maxssf=0"? "maxssf=1" may be a more workable option, since
encryption is
really what you want to turn off, not integrity.
Yes, the error remains the same. Maxssf=1 does not help because
integrity won't be disabled.
The encryption you are talking about is GSS confidentiality which
won't be active anyway with
maxssf=1.
I recall being able to capture GSSAPI traffic with wireshark several years
ago. I wasn't doing it programatically though. I was either using maxssf=1
or maxssf=0, and was likely using Heimdal.
If all you want is a readable packet log, you only need to disable
confidentiality, not integrity.
Meanwhile, you can just use libldap's packet logging if you want a
packet trace even with confidentiality.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
