[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Disable GSSAPI confidentiality
Jeremiah Martell wrote:
Is there a way, when calling "ldap_sasl_interactive_bind_s", to tell
it that when it does LDAP+GSSAPI authentication, only use GSSAPI for
authentication, and not confidentiality?
In other words, just use GSSAPI to encrypt the authentication part,
but not all subsequent searches, etc.
Thanks,
Jeremiah,
You can use SASL security properties to accomplish that.
For instance:
dwhite@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net
SASL/GSSAPI authentication started
SASL username: dwhite@EXAMPLE.NET
SASL SSF: 56
SASL data security layer installed.
dn:uid=dwhite@example.net,ou=people,dc=example,dc=net
dwhite@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net -O maxssf=0
SASL/GSSAPI authentication started
SASL username: dwhite@EXAMPLE.NET
SASL SSF: 0
dn:uid=dwhite@example.net,ou=people,dc=example,dc=net
Programmatically, I think you would pass the string 'maxssf=0' within
your call.
As for the authentication step, GSSAPI should be secured based on your
ticket negotiation regardless of the SSF setting, I believe.
- Dan