Re: GSS-SPNEGO Protocol Details

[Howard Chu <hyc@symas.com>]

Michael B Allen wrote:
> Hello,
>
> I've implemented SASL binds for GSSAPI and GSS-SPNEGO using a
> Sockbuf_IO_Desc handler instead of libsasl. Everything works great
> but I've noticed some behavior from the server I'm using that
> is not consistent with the available documentation (RFC 2222 and
> draft-ietf-sasl-gssapi-03 by Melnikov). Would anyone happen to know
> where I might ask about GSS-SPNEGO protocol details? Is there an IETF
> mailing list somewhere?

Have you already read RFC2478?

> There are three issues:
>
>   1) GSS-SPNEGO search replies are sealed even though the request was
>   not and a capture of another client talking to the same server shows
>   replies as integ-only. A examination of the captures of my code and
>   the other client shows the packets are identical (minus ber encoding
>   differences and encrypted krb5 bits).

That would normally require the confidentiality flag to be set on the 
ContextFlags of the NegotiationToken.
>   2) GSS-SPNEGO does not appear to use the additional bind exchange to
>   negotiate the security-layer bit mask like GSSAPI does.
>
>   3) GSSAPI can use what is apparently the DN of an account called the
>   "authorization identity". The actual values for this field do not
>   appear to be documented anywhere.

An authorization identity is a standard concept in SASL. It can be a simple 
username or a DN.
> I don't suppose I should care since the code works fine but I do. Any
> pointers are appreciated.
>
> Mike
> .


--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/