SASL binds - Rambling...

Sam Hartman hartmans at
Mon Mar 2 19:18:57 CET 2015

>>>>> "Arran" == Arran Cudbard-Bell <a.cudbardb at> writes:

    Arran> Regarding LSA/SSPI, I was lead to believe by the Microsoft
    Arran> docs that LSA plugins could be called via the SSPI interface,
    Arran> with the SSPI interface being accessible from LDAP SASL
    Arran> binds.

Uh, sort of.
SSPI is a lot closer to GSS-API than to SASL.
Microsoft doesn't really have a good layer for implementing the layer
that would bridge between SASL and SSPI/GSS-API.

The gss-eap SSP (RFC 7055/Moonshot as an SSP) has never been tested
interoperably as a SASL mechanism.  I suspect it would work between two
Windows boxes for some applications, bxut very much not work say between
a Windows box and cyrus-sasl or gsasl.

It's possible work could be done along these lines if someone wanted to,
but it won't come cheaply.  writing an SSP tends to be fairly involved
and tends to involve fairly complex/lrong/expensive debugging sessions.

Sam hartman
Principal Consultant
Painless Security, LLC

More information about the Freeradius-Devel mailing list