Open Oleg-Mishenkin opened 8 years ago
SPNEGO ("Simple and Protected GSSAPI Negotiation Mechanism") is a mechanism to negotiate the choice of security method. It's useful if two ends want to communicate to each other but don't know what mechanism the other end "speaks".
From How LDAP Authentication works with Active Directory and the UWWI:
The GSS-SPNEGO authentication mechanism (RFC4178) is actually the GSSAPI authentication mechanism but with a client-server negotiation mechanism that provides for selection of the preferred security mechanism that both client and server support. In this case, the server will prefer Kerberos then NTLMv2 then NTLM (UWWI does not support LM). For that reason, refer to the GSSAPI authentication mechanism for further details.
What will happen when LDAP server does not support neither GSS-SPNEGO nor GSSAPI by default as in my case? An negotiation error will occur. I see ASN1.makeoctstr('GSS-SPNEGO') in your source code at NTLM_AD_Proxy.js . May it be better for ability to customize authentication method? Thank you!
I agree that GSSAPI
makes sense to support. Although it will probably need some serious changes to the code. Keep in mind, that I officially only support Active Directory so far.
I marked this as an enhancement, so I can add GSSAPI
-support in a future release.
Are there any other mechanisms apart from GSS-SPNEGO
and GSSAPI
to support?
When connecting to OpenLDAP server there is an error in response that GSS-SPNEGO not supported on OpenLDAP server side. Can I change authentication mode to GSSAPI for example?