Setting security options when using ldap with sasl

How can I set SASL security options ?  I want to use ldap with SASL/GSSAPI
and control the maxssf security setting.
Is this part of Net::LDAP or Authen::SASL ?

Thank you
Markus

At the moment I use Authen:SASL as follows

use Net::LDAPS;
use Authen::SASL;
use Authen::Krb5;
....
$ldap = Net::LDAPS->new( $server,
port => 636,
timeout => 2,
verify => 'never',
version => 3) or die "$@";

$sasl = Authen::SASL->new('GSSAPI', 'user' => '');
$mesg = $ldap->bind( '',
sasl => $sasl) ;

$mesg->code && die $mesg->error;
...

and get the error:

00002029: LdapErr: DSID-0C09016D, comment: Cannot start kerberos
signing/sealing when using TLS/SSL, data 0, vece at ./LDAP-AD-query.pl line
82.

I read that there is a property setting possible with Authen::SASL but can't
find an example how to outside of Net::LDAP.

Would it be possible to modify Net::LDAP to set SSF to 0 if LDAPS or
start_tls is used  ?

Thank you
Markus

Does nobody else experienced my problem ? Any hint how I could debug it ?

Thank you
Markus


"Markus Moeller" <huaraz@moeller.plus.com> wrote in message
news:fqev0p$7sq$1@ger.gmane.org...
> At the moment I use Authen:SASL as follows
>
> use Net::LDAPS;
> use Authen::SASL;
> use Authen::Krb5;
> ....
> $ldap = Net::LDAPS->new( $server,
>                          port => 636,
>                          timeout => 2,
>                          verify => 'never',
>                          version => 3) or die "$@";
>
> $sasl = Authen::SASL->new('GSSAPI', 'user' => '');
> $mesg = $ldap->bind( '',
>                      sasl => $sasl) ;
>
> $mesg->code && die $mesg->error;
> ...
>
> and get the error:
>
> 00002029: LdapErr: DSID-0C09016D, comment: Cannot start kerberos
> signing/sealing when using TLS/SSL, data 0, vece at ./LDAP-AD-query.pl
> line
> 82.
>
> I read that there is a property setting possible with Authen::SASL but
> can't find an example how to outside of Net::LDAP.
>
> Would it be possible to modify Net::LDAP to set SSF to 0 if LDAPS or
> start_tls is used  ?
>
> Thank you
> Markus
>
>
>

I got i bit further with my problem. I firstly modified NET::LDAP.pm (line
392) by adding ssf to the connection property when using SASL.

$sasl_conn->property(
sockname => $ldap->{net_ldap_socket}->sockname,
peername => $ldap->{net_ldap_socket}->peername,
ssf => 0,
);

This fails with an decode error during bind

Decoding error at ./LDAP-AD-query.pl line 87.

But when using SASL::Perl and modifying NET::LDAP.pm by adding maxssf to the
connection property I can connect with SSL and SASL/GSSAPI  to Active
Directory.

$sasl_conn->property(
sockname => $ldap->{net_ldap_socket}->sockname,
peername => $ldap->{net_ldap_socket}->peername,
maxssf => 0,
);

Now my question is what is the best method to get the maxssf setting from my
perl script into the LDAP connection setup ?  I would think the best would
be to add an option to SASL->new e.g. connection_property = { maxssf => 0,
....}  which can the be used in LDAP.pm e.g.

$sasl_conn->property(
sockname => $ldap->{net_ldap_socket}->sockname,
peername => $ldap->{net_ldap_socket}->peername,
);
loop over connection_property {
$sasl_conn->property(
$sasl->connection_property ->name[$i] =>
$sasl->connection_property ->value[$i],
);
}


As you can see I am not a perl programmer. Any suggestion how to best
implement this ?

Thank you
Markus

"Markus Moeller" <huaraz@moeller.plus.com> wrote in message
news:fulmai$7q5$1@ger.gmane.org...
> Does nobody else experienced my problem ? Any hint how I could debug it ?
>
> Thank you
> Markus
>
>
> "Markus Moeller" <huaraz@moeller.plus.com> wrote in message
> news:fqev0p$7sq$1@ger.gmane.org... 
>
>
>