A packet or streams layer for GENSEC/SASL?
Andrew Bartlett
abartlet at samba.org
Sun Feb 5 04:47:50 GMT 2006
On Sat, 2006-02-04 at 16:21 +1100, Andrew Bartlett wrote:
> I've been looking at the complexities of the GENSEC 'wrap' code for
> GSSAPI, and trying to follow the spec in the process.
>
> One of the important details that is securely negotiated between client
> and server is the maximum buffer size. Currently, there isn't a good
> way to communicate this up and down the stack, and I get the felling
> that we are using gensec_wrap() in the 'wrong way'.
>
> It seems to me that just as gnutls is free to accept 'writes' and manage
> it's own 'network socket' (by means of plugin 'read'/'write' functions),
> that is how SASL wants us to behave. A SASL layer should break up the
> LDAP packets into 4-byte prefixed SASL packets, for output on a stream
> socket.
This turns out to be a real, not just theoretical issue, with ldapsearch
failing for large searches against Samba4. I'll look into this over the
next few days.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060205/51dcbdaa/attachment.bin
More information about the samba-technical
mailing list