[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6110) GSSAPI signing/encryption for unsuspectingly applications



Full_Name: Mike Becher
Version: 2.4.16 or HEAD
OS: Linux
URL: ftp://ftp.openldap.org/incoming/mike-becher-090512.libraries-libldap.patch
Submission from: (NULL) (84.150.169.165)


patch file name: mike-becher-090512.libraries-libldap-gssapi.1.patch
patch subject: GSSAPI signing/encryption for unsuspectingly applications

ftp://ftp.openldap.org/incoming/mike-becher-090512.libraries-libldap.patch

This patch (see above) introduces a function hook and an additional ldap.conf
or ldaprc option GSSAPI_TRY_GSSAPI_BIND_S_IN_SASL_INTERACTIVE_BIND_S which
enables unsuspectingly applications to make use of GSSAPI  based
authentification, signing, and/or encryption.
This is very useful if you are connected to MS Active Directory with
LDAP server signing is required (means is switched on) and your software
(like for example pam_ldap or nss_ldap) doesn't know about that requirement.
Additionally if a user does not want use this feature s/he can it switch off
on demand.

Excerpt from manual page enhancement:
On technical view this (hook and option) enables call of ldap_gssapi_bind_s()
at the beginning of ldap_sasl_interactive_bind_s(). If ldap_gssapi_bind_s()
returns with LDAP_SUCCESS the SASL code of ldap_sasl_interactive_bind_s()
will be skipped. In other case ldap_sasl_interactive_bind_s() will be
executed.  If this option is switch on and  an  application  makes use
of ldap_sasl_interactive_bind_s() but doesn't know anything about
ldap_gssapi_bind_s() it is able to use GSSAPI signing and encryption.

NOTE(s):
This patch makes patches of
 * ITS#6091: missing implementation of "switch off" functionality of GSSAPI
OPTIONS
 * ITS#6092: correct string problem in guess_service_principal()
 * ITS#6093: correct hostname resolving problem in guess_service_principal()
obsolete.
Thanks to Hallvard B Furuseth for its comments to ITS#6092 which
results in a rewrite of that code snipset.