SASL binds - Rambling...
Sam Hartman
hartmans at mit.edu
Mon Mar 2 19:18:57 CET 2015
>>>>> "Arran" == Arran Cudbard-Bell <a.cudbardb at freeradius.org> writes:
Arran> Regarding LSA/SSPI, I was lead to believe by the Microsoft
Arran> docs that LSA plugins could be called via the SSPI interface,
Arran> with the SSPI interface being accessible from LDAP SASL
Arran> binds.
Uh, sort of.
SSPI is a lot closer to GSS-API than to SASL.
Microsoft doesn't really have a good layer for implementing the layer
that would bridge between SASL and SSPI/GSS-API.
The gss-eap SSP (RFC 7055/Moonshot as an SSP) has never been tested
interoperably as a SASL mechanism. I suspect it would work between two
Windows boxes for some applications, bxut very much not work say between
a Windows box and cyrus-sasl or gsasl.
It's possible work could be done along these lines if someone wanted to,
but it won't come cheaply. writing an SSP tends to be fairly involved
and tends to involve fairly complex/lrong/expensive debugging sessions.
Sam hartman
Principal Consultant
Painless Security, LLC
More information about the Freeradius-Devel
mailing list