Comment 8 for bug 1912256

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I have a build for kinetic which has two changes:
- enable channel binding
- allow setting maxssf=0 when using GSS-SPNEGO

The later might not be needed, as GSSAPI already supports maxssf=0, and adcli will forcibly select GSSAPI instead of GSS-SPNEGO if ldaps (ssl) is being used, exactly because not everybody might have that patch:

https://git.launchpad.net/ubuntu/+source/adcli/tree/library/adconn.c?h=ubuntu/kinetic-devel#n1090

    const char *mech = "GSSAPI";
    (...)
    /* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if
  * ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used
  * without LDAPS. */
 if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")
                      && !adcli_conn_get_use_ldaps (conn)) {
  mech = "GSS-SPNEGO";
 }

But without the second patch, using GSS-SPNEGO over ldaps:// against windows won't work (because -O maxssf=0 is ignored), so it's good to have I think.

I tested this against windows 2016 with LdapEnforceChannelBinding=2 and LDAPServerIntegrity=2 in the registry, and could verify that without the sasl changes, joining the domain with adcli/realmd run with --use-ldaps would not work. On kinetic so far.

I'm now trying to determine if I also need to pull in https://github.com/cyrusimap/cyrus-sasl/commit/8735185e9d5550e0f11e1ce4b77e391a16e4145b. There was a very technical discussion in the related issue at https://github.com/cyrusimap/cyrus-sasl/issues/637 involving RFCs and in the end the above commit landed, but only in master/main. I'm still unsure why that was needed if SASL_CBINDING defaults to "none":

  SASL_CBINDING <none/tls-unique/tls-endpoint>
  The channel-binding type to use, see also LDAP_OPT_X_SASL_CBINDING. The default is none.

I'm currently testing the patched library with other sasl-enabled services via gssapi and gss-spnego, to see if any of them complain about the channel binding patch.

The openldap test suite has a nice test for this at https://git.launchpad.net/ubuntu/+source/openldap/tree/tests/scripts/test077-sasl-gssapi?h=ubuntu/kinetic-devel#n175

I was expecting to be able to get ldap to fail if I enable it on the server, and not on the client, i.e.:

dn: cn=config
changetype: modify
replace: olcSaslCBinding
olcSaslCBinding: tls-unique

But whatever SASL_CBINDING setting I used on the client, the bind always worked (gssapi/gss-spnego + ldaps), so I'm still unsure if it's working as expected.

This on kinetic with openldap 2.5.12.