> Dan White wrote: > > On 04/19/15 17:11 +0000, Osipov, Michael wrote: > >>> On 04/15/15 21:10 +0000, Osipov, Michael wrote: > >>> >Hi folks, > >>> > > >>> >I am binding against Active Directory with GSSAPI mech and would > >>> like to > >>> disable SASL integrity for debugging purposes with Wireshark. > >>> Unfortunately, this call fails: > >> > >>> Setting a minssf should not be necessary. Do you also get this error > >>> with > >>> "maxssf=0"? "maxssf=1" may be a more workable option, since > >>> encryption is > >>> really what you want to turn off, not integrity. > >> > >> Yes, the error remains the same. Maxssf=1 does not help because > >> integrity won't be disabled. > >> The encryption you are talking about is GSS confidentiality which > >> won't be active anyway with > >> maxssf=1. > > > > I recall being able to capture GSSAPI traffic with wireshark several > years > > ago. I wasn't doing it programatically though. I was either using > maxssf=1 > > or maxssf=0, and was likely using Heimdal. > > > If all you want is a readable packet log, you only need to disable > confidentiality, not integrity.
This is what I did but having a look at the Wireshark output, you'll See SASL GSS-API Integrity with a hexdump of the data not a browseable Structure. > Meanwhile, you can just use libldap's packet logging if you want a > packet trace even with confidentiality. To be honest, the documentation is extremely short on that. I have tried debugging on ldapsearch first and did not find any enumeration of the debug levels. Only googling revealed level 7. After that, I tried to apply that to my code by reading ldapsearch.c/common.c it did not work. I ended by reverse engineering other source code and did int debug_level = -1; rc = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &debug_level); ber_set_option(NULL, LBER_OPT_BER_DEBUG, &debug_level); I am still not happy with that. Michael
