Patrick Monnerat via curl-library
2021-04-30 12:10:36 UTC
While attempting to implement sasl in openldap, I'm facing with a
Kerberos problem.
In Curl_auth_create_gssapi_security_message(), a comment says:
/* Populate the message with the security layer, client supported receive
message size and authorization identity including the 0x00 based
terminator. Note: Despite RFC4752 Section 3.1 stating "The authorization
identity is not terminated with the zero-valued (%x00) octet." it seems
necessary to include it. */
This works as described, but the added zero-terminator fools the server
that includes it in the authorization identity.
Do we have details about why "it seems necessary to include it"? I
checked cyrus-sasl and libgsasl: they do not append this extra zero byte.
I also plan to replace the computed identity by the sasl_authzid. Any
objection ?
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiq
Kerberos problem.
In Curl_auth_create_gssapi_security_message(), a comment says:
/* Populate the message with the security layer, client supported receive
message size and authorization identity including the 0x00 based
terminator. Note: Despite RFC4752 Section 3.1 stating "The authorization
identity is not terminated with the zero-valued (%x00) octet." it seems
necessary to include it. */
This works as described, but the added zero-terminator fools the server
that includes it in the authorization identity.
Do we have details about why "it seems necessary to include it"? I
checked cyrus-sasl and libgsasl: they do not append this extra zero byte.
I also plan to replace the computed identity by the sasl_authzid. Any
objection ?
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiq