[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Channel bindings
- To: Howard Chu <hyc@symas.com>
- Subject: Re: Channel bindings
- From: Michael Ströder <michael@stroeder.com>
- Date: Tue, 22 Nov 2011 10:07:39 +0100
- Cc: "OpenLDAP-devel@openldap.org" <OpenLDAP-devel@openldap.org>
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1321952864; l=1056; s=domk; d=stroeder.de; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References: Subject:CC:To:MIME-Version:From:Date:X-RZG-CLASS-ID:X-RZG-AUTH; bh=3hmogBmz8EOTtaVN3WW6qD/0CCo=; b=sTuCqO+gn+9rT+G76bB/mooUbztPQlXgMnGCSr/iLfXG7RdarP0bhMFH774KW8heNSb eiV9RKhN1OzVbimFR44XSDl+wGuiJAeQN1+KMLED/PpiF7dxJq4hk+J33MpUC0dF0M3fK M3qyBYaya1Y9uZ0qawZSk2EXxYgqUpmfobE=
- In-reply-to: <4ECAF67C.4090006@symas.com>
- References: <4ECAF67C.4090006@symas.com>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20110928 Firefox/7.0.1 SeaMonkey/2.4.1
Howard Chu wrote:
> Now that Cyrus SASL 2.1.25 is out with channel binding support, we should be
> looking into adding the hooks needed to use it. I believe what we want to
> expose is an ldap_get_option(ld, LDAP_OPT_X_TLS_BINDING, &foo) to retrieve the
> tls-unique binding data from the underlying TLS session. Then we pass this
> into SASL using sasl_setprop(ctx, SASL_CHANNEL_BINDING, foo). The actual
> ldap_get_option() code will have to be added for each TLS implementation.
How can use it from python-ldap? python-ldap is mainly a wrapper around the
OpenLDAP client libs. Everything which can be done within C has to be exposed
in this wrapper module. I guess wrapper modules for other scripting languages
have the same requirements.
SASL params (SASL_CB_* in sasl.h) are usually passed to cyrus-sasl by a
call-back dictionary. But I guess it should be possible to set
SASL_CHANNEL_BINDING via ldap_set_option().
Puuh, I'm not really familiar with the C APIs as I did not write the C parts
of python-ldap...
Ciao, Michael.