ADV190023 | LDAP channel binding support

Isaac Boukris iboukris at gmail.com
Wed Feb 19 19:53:16 UTC 2020


On Wed, Feb 19, 2020 at 12:27 PM Isaac Boukris <iboukris at gmail.com> wrote:
>
> On Tue, Feb 18, 2020 at 5:48 PM Stefan Metzmacher <metze at samba.org> wrote:
> >
> > I looked at it a bit, see
> > https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=ac8fd11f1d4b9deb48d6c7942af0c83b52d69d7f
> >
> > I think we need input from dochelp to answer 2 questions:
> > 1. which kind of channel bindings are expected/used by windows?
> >    I assume tls-server-end-point. I guess MS-ADTS would be the place
> >    to define these details for ldaps.
>
> This blog also suggests it's tls-server-end-point (about HTTP) :

It's definitely "tls-server-end-point:", I got ldapsearch working by
hardcoding my lab server certificate just before the gss_init_sec
call, see attached.

import hashlib
md = hashlib.sha256()
md.update(bytes.fromhex(certificate_bytes_from_wireshare))
mydata = b'tls-server-end-point:' + md.digest()
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cyrus.patch
Type: text/x-patch
Size: 1667 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20200219/1f13281f/cyrus.bin>


More information about the samba-technical mailing list