negotiate auth
Milosz Kmieciak
milosz at kmieciak.eu
Tue Aug 5 09:47:15 EDT 2008
2008/8/5 Joe Orton <joe at manyfish.co.uk>:
> On Tue, Aug 05, 2008 at 12:22:11PM +0000, Milosz Kmieciak wrote:
>> Hello,
>>
>> I am trying to use negotiate auth mechanism (spnego + gss), and as I
>> can see all gss-connected routines are in ne_auth.c source code. My
>> problem is - how can I set the mechanism oid (gss_OID gssmech field in
>> auth_session)? I can not find even where it is being set at init time
>> (ex. GSS_C_NO_OID).
>
> It's not set, it's left as GSS_C_NO_OID for gss_init_sec_context to
> determine appropriately.
In my opinion leaving gssmech not set (==NULL) is quite risky. I am
not sure, but it does not mean that gss implementation will choose
GSS_C_NO_OID and this can provide strange behavior. As I look into
heimdal (1.2) gss implementation:
if (mech_type == NULL)
mech_type = GSS_KRB5_MECHANISM;
it is krb mechanism being set, not default one.
> There is no API to change this, though I've wondered about adding an API
> for some other GSSAPI options, notably whether or not to delegate
> credentials. Can you explain why/how you'd want to set to OID
> differently?
So it would be nice to set gssmech explicit, to set as
implementation's default mech or whatever you like (for testing
especially). In my case I would like to set it to custom mech (saml2)
or default one in the worst case (spnego).
Cheers
--
Milosz Kmieciak
More information about the neon
mailing list