I have a build for kinetic which has two changes:
- enable channel binding
- allow setting maxssf=0 when using GSS-SPNEGO
The later might not be needed, as GSSAPI already supports maxssf=0, and adcli will forcibly select GSSAPI instead of GSS-SPNEGO if ldaps (ssl) is being used, exactly because not everybody might have that patch:
const char *mech = "GSSAPI";
(...)
/* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if
* ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used
* without LDAPS. */
if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO") && !adcli_conn_get_use_ldaps (conn)) {
mech = "GSS-SPNEGO";
}
But without the second patch, using GSS-SPNEGO over ldaps:// against windows won't work (because -O maxssf=0 is ignored), so it's good to have I think.
I tested this against windows 2016 with LdapEnforceChannelBinding=2 and LDAPServerIntegrity=2 in the registry, and could verify that without the sasl changes, joining the domain with adcli/realmd run with --use-ldaps would not work. On kinetic so far.
SASL_CBINDING <none/tls-unique/tls-endpoint>
The channel-binding type to use, see also LDAP_OPT_X_SASL_CBINDING. The default is none.
I'm currently testing the patched library with other sasl-enabled services via gssapi and gss-spnego, to see if any of them complain about the channel binding patch.
But whatever SASL_CBINDING setting I used on the client, the bind always worked (gssapi/gss-spnego + ldaps), so I'm still unsure if it's working as expected.
I have a build for kinetic which has two changes:
- enable channel binding
- allow setting maxssf=0 when using GSS-SPNEGO
The later might not be needed, as GSSAPI already supports maxssf=0, and adcli will forcibly select GSSAPI instead of GSS-SPNEGO if ldaps (ssl) is being used, exactly because not everybody might have that patch:
https:/ /git.launchpad. net/ubuntu/ +source/ adcli/tree/ library/ adconn. c?h=ubuntu/ kinetic- devel#n1090
const char *mech = "GSSAPI"; conn_server_ has_sasl_ mech (conn, "GSS-SPNEGO")
&& !adcli_ conn_get_ use_ldaps (conn)) {
(...)
/* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if
* ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used
* without LDAPS. */
if (adcli_
mech = "GSS-SPNEGO";
}
But without the second patch, using GSS-SPNEGO over ldaps:// against windows won't work (because -O maxssf=0 is ignored), so it's good to have I think.
I tested this against windows 2016 with LdapEnforceChan nelBinding= 2 and LDAPServerInteg rity=2 in the registry, and could verify that without the sasl changes, joining the domain with adcli/realmd run with --use-ldaps would not work. On kinetic so far.
I'm now trying to determine if I also need to pull in https:/ /github. com/cyrusimap/ cyrus-sasl/ commit/ 8735185e9d5550e 0f11e1ce4b77e39 1a16e4145b. There was a very technical discussion in the related issue at https:/ /github. com/cyrusimap/ cyrus-sasl/ issues/ 637 involving RFCs and in the end the above commit landed, but only in master/main. I'm still unsure why that was needed if SASL_CBINDING defaults to "none":
SASL_CBINDING <none/tls- unique/ tls-endpoint> X_SASL_ CBINDING. The default is none.
The channel-binding type to use, see also LDAP_OPT_
I'm currently testing the patched library with other sasl-enabled services via gssapi and gss-spnego, to see if any of them complain about the channel binding patch.
The openldap test suite has a nice test for this at https:/ /git.launchpad. net/ubuntu/ +source/ openldap/ tree/tests/ scripts/ test077- sasl-gssapi? h=ubuntu/ kinetic- devel#n175
I was expecting to be able to get ldap to fail if I enable it on the server, and not on the client, i.e.:
dn: cn=config
changetype: modify
replace: olcSaslCBinding
olcSaslCBinding: tls-unique
But whatever SASL_CBINDING setting I used on the client, the bind always worked (gssapi/gss-spnego + ldaps), so I'm still unsure if it's working as expected.
This on kinetic with openldap 2.5.12.