Re: Kerberos 5 Support for OpenLDAP-release

[Booker Bense <bbense@networking.stanford.edu>]

On Wed, 22 Sep 1999, Kurt D. Zeilenga wrote:

> Booker Bense wrote:
> > 
> > On Wed, 22 Sep 1999, Kurt D. Zeilenga wrote:
> > 
> > > deprecate != purge necessarily...
> > > But considerring that the krb4 code is broken and no one has stepped
> > > forward to fix it...
> > 
> > - How is it broken? We use the Umich K4 ldap auth method extensively
> > here at stanford, I'd hate to see that disappear in the 2.0 release.
> > I can probably find enough tuits to fix any egregious bugs...
> 
> ITS#109: Kerberos binds broke when clients moved to ldap_init()

- Well, here's what I've found so far. The kerberos code is attempting
to find the name of the host ( more or less ) at line 276 in kbind.c

	  krbinstance = ld->ld_defconn->lconn_krbinstance;

- Unfortunately, ld->ld_defconn is null at this point. What
krbinstance should be is the canonical hostname of the machine that
you want to connect to without the domain name. For example: 

	At stanford, directory.stanford.edu expands to 
boron.stanford.edu which kerberos4 will truncate to boron. 
( Kerberos 5 gets this right and doesn't require this kind
of truncation. ). 

- I don't know enough of the logic of how ldap_init works to know
what the right thing to do here is. I think I could cobble up a patch
using ldo_defhost, but I'm not sure that's the correct thing to do. 
I looked at ITS 268, and the more that I think about it the more
I'm convinced that the ticket has to be constructed after the 
connection is opened. Yick this is messy. 

- Booker C. Bense