[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: How to disable SSF (integrity) on GSSAPI mech?



> Dan White wrote:
> > On 04/19/15 17:11 +0000, Osipov, Michael wrote:
> >>> On 04/15/15 21:10 +0000, Osipov, Michael wrote:
> >>> >Hi folks,
> >>> >
> >>> >I am binding against Active Directory with GSSAPI mech and would
> >>> like to
> >>> disable SASL integrity for debugging purposes with Wireshark.
> >>> Unfortunately, this call fails:
> >>
> >>> Setting a minssf should not be necessary. Do you also get this error
> >>> with
> >>> "maxssf=0"? "maxssf=1" may be a more workable option, since
> >>> encryption is
> >>> really what you want to turn off, not integrity.
> >>
> >> Yes, the error remains the same. Maxssf=1 does not help because
> >> integrity won't be disabled.
> >> The encryption you are talking about is GSS confidentiality which
> >> won't be active anyway with
> >> maxssf=1.
> >
> > I recall being able to capture GSSAPI traffic with wireshark several
> years
> > ago. I wasn't doing it programatically though. I was either using
> maxssf=1
> > or maxssf=0, and was likely using Heimdal.
> >
> If all you want is a readable packet log, you only need to disable
> confidentiality, not integrity.

This is what I did but having a look at the Wireshark output, you'll
See SASL GSS-API Integrity with a hexdump of the data not a browseable
Structure. 
 
> Meanwhile, you can just use libldap's packet logging if you want a
> packet trace even with confidentiality.

To be honest, the documentation is extremely short on that.
I have tried debugging on ldapsearch first and did not find any enumeration
of the debug levels. Only googling revealed level 7. After that, I tried to
apply that to my code by reading ldapsearch.c/common.c it did not work.
I ended by reverse engineering other source code and did

int debug_level = -1;
rc = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &debug_level);
ber_set_option(NULL, LBER_OPT_BER_DEBUG, &debug_level);

I am still not happy with that.

Michael