[krbdev.mit.edu #6938] krb5 and ldap signed traffic
Arlene Berry via RT
rt-comment at krbdev.mit.edu
Mon Jul 25 00:14:25 EDT 2011
Microsoft has a GSS-SPNEGO sasl method for ldap. It looks at whether GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG are requested in the AP_REQ to determine the message protection level. If you don't want all of your ldap traffic to be encrypted then you can't hardcode the flags in the AP_REQ.
Index: src/lib/gssapi/krb5/init_sec_context.c
===================================================================
--- src/lib/gssapi/krb5/init_sec_context.c (revision 25023)
+++ src/lib/gssapi/krb5/init_sec_context.c (working copy)
@@ -587,9 +587,9 @@
}
ctx->initiate = 1;
- ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
- GSS_C_TRANS_FLAG |
+ ctx->gss_flags = (GSS_C_TRANS_FLAG |
((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
+ GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG |
GSS_C_DCE_STYLE | GSS_C_IDENTIFY_FLAG |
GSS_C_EXTENDED_ERROR_FLAG)));
Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c (revision 25023)
+++ src/lib/gssapi/spnego/spnego_mech.c (working copy)
@@ -842,7 +842,7 @@
&sc->ctx_handle,
target_name,
sc->internal_mech,
- (req_flags | GSS_C_INTEG_FLAG),
+ req_flags,
time_req,
GSS_C_NO_CHANNEL_BINDINGS,
mechtok_in,
More information about the krb5-bugs
mailing list