LDAP Channel Binding

Michael Osipov 1983-01-06 at gmx.net
Sun Feb 16 10:02:16 UTC 2020


Am 2020-02-14 um 15:53 schrieb Weijun Wang:
>
>
>> On Jan 22, 2020, at 6:31 AM, Michael Osipov <1983-01-06 at gmx.net> wrote:
>>
>> Am 2020-01-21 um 17:57 schrieb Bernd Eckenfels:
>>> Hello,
>>>
>>> I have now repeated the tests with LdapEnforceChannelBinding=2 and I
>>> could see the rejection with error code 80090346 for GSSAPI and
>>> DIGEST-MD5 with TLS.
>>>
>>> The simple bind with TLS and the GSSAPI or DIGEST-MD5 without TLS but
>>> with auth-int/conf all work with signing and binding required (I.e
>>> after Microsoft charged defaults in March)
>>>
>>> (Which makes the TLS binding a bit useless, but we should still think
>>> about supporting it.)
>>>
>>> Jgss seems to already allow to set it, so only JSSE needs to provide
>>> an api for sasl/jndi.
>>
>> How? I am confused! The Kerberos SaslClient does not use/set GSS channel
>> bindings. I don't see any in com.sun.security.sasl.gsskerb.
>
> Are you suggesting any change here? JGSS has channel binding method but the SASL mech has not called it.

None yet, because we do not know what channel binding is actually used.
We assume that MS uses TLS channel binding regardless of the underlying
authentication scheme.

M


More information about the security-dev mailing list