Wireshark-bugs: [Wireshark-bugs] [Bug 3440] Failure to dissect long SASL wrapped LDAP response
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3440
--- Comment #4 from Graeme Lunt <graeme@xxxxxxxxxxx> 2009-07-06 06:05:07 PDT ---
(In reply to comment #3)
> >As I see it, the LDAP dissector currently knows if SASL authentication >was
> >used, but not if SASL integrity or confidentiality services have >negotiated
> >(requested by the client). If it knew a security layer had been >negotiated,
> >then it would know that any PDU was SASL, regardless of the PDU size.
>
> I guess otherwise their is no reason for the code to be like it is ... at the
> same time is it possible to negotiate SASL auth without SASL
> integrity/confidentiality ... ?
It is perfectly possible to to negotiate SASL auth with SASL
integrity/confidentiality. Certainly it can be done with Kerberos.
> > Would that be a sensible, solution?
> The simple one (but the most likely to hit a bare sooner or latter ...) to 16MB
> (well I hope not so soon to seen such LDAP message but with MS worser is always
> an option !). As it correspond to 0x00 on the first byte and FF FF FF on the 3
> others.
I think this is a bit cumbersome and the limit will always be hit by someone.
Alot of ADS/LDS services use SASL GSSAPI with integrity.
> Because the real solution would be to follow this rfc for SSL
>
> http://www.ietf.org/rfc/rfc2830.txt
SSL/TLS is something different - it provides network authentication and
confidentiality services. It is something SASL can use to provide application
authentication (using the SASL EXTERNAL mechanism), but I would expect that
additional SASL integrity/confidentiality layers are not negotiated with this
mechanism.
If you are using Kerberos (SASL GSSAPI) as you indicate, then switching to SSL
is probably not what you want to do.
> Which indicate that we should search for an special oid indicating the starttls
> start (I guess this should occur before the bind ...).
It can occur at any point in the LDAP conversation.
> But for differencing LDAP with SASL or without the ldap dissector should
> receive a notification from the authentification dissector (GSSAPI) of which
> attributes (security/integrity/...) have been negociated (have fun ...)
>
> Third way might be first try a normal dissection, then an ssl and then a sasl
> one (and we stop one we have a valid ldap message).
There is certainly a possibility to try LDAP and SASL.
Graeme
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.