[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OPENLDAP_REL_ENG_2 -> 2.0.8

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: OPENLDAP_REL_ENG_2 -> 2.0.8
From: wes@umich.edu
Date: Mon, 26 Mar 2001 12:31:50 -0500
Cc: "Booker C. Bense" <bbense@networking.stanford.edu>, Michael Ströder <michael@stroeder.com>, "openldap-devel@OpenLDAP.org" <openldap-devel@OpenLDAP.org>
Content-disposition: inline
In-reply-to: <5.0.2.1.0.20010324173728.00a91400@127.0.0.1>

We've got the Kerberos IV kbind support in OpenLDAP 2.0.6 working fine here.
At some point in the reasonably near future, we're hoping to move our
widely deployed OpenLDAP 1.2.11 over to 2.x.  This will be much more difficult
if kbind has been ripped out.  As such, we're willing to continue supporting
it.

:wes

--On Saturday, March 24, 2001 5:43 PM -0800 "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:

As far as I'm concerned, OpenLDAP's direct support for
Kerberos IV {kbind and "{KERBEROS}") is "unsupported".
One of these days I might even rip it out completely...
as Cyrus SASL supports KERBEROS_IV and PAM, that day
might come soon.
         - Kurt

At 04:44 PM 3/24/01 -0800, Booker C. Bense wrote:
>On Fri, 23 Mar 2001, Michael [iso-8859-1] Ströder wrote:
>
>> Another one (with Kerberos enabled):
>>
>> cc -I/usr/local/sasl/include -I/usr/local/krb5/include -O2 -g
>> -I../../include        -I../../include   -I/usr/local/sasl/include
>> -I/usr/local/krb5/include -O2 -g     -c -o auth.o auth.c
>> In file included from auth.c:37:
>> ud.h:269: conflicting types for `des_string_to_key'
>> /usr/local/krb5/include/kerberosIV/des.h:142: previous declaration
>> of `des_string_to_key'
>
>
>- For whatever reason, the k4 des emulation library in MIT's krb5
>code has the same function names, but different prototypes for
>some of the des library routines. I think this is a bug in the
>MIT code and will be submitting patches.
>
>- All I can suggest for now is to use KTH's krb4 libraries
>for the k4 stuff. Unless you are using the k4 SASL method,
>the kerberos 4 support in the original Umich code should
>be deprecated if at all possible. If you really want to try
>and accomodate this brokeness in the MIT libraries, I would
>suggest looking into the configure.in section and setting
>some ifdef such as
>
>#define BROKEN_MIT_DES
>
>- You can tell the MIT stuff since it is the only one that
>puts krb.h in include/kerberosIV.
>
>
>> auth.c: In function `krbgetpass':
>> auth.c:368: warning: passing arg 2 of `des_string_to_key' from
>> incompatible pointer type
>> make[2]: *** [auth.o] Error 1
>> make[2]: Leaving directory
>> `/home/michael/src/openldap2-dev/ldap/clients/ud'
>> make[1]: *** [all-common] Error 1
>> make[1]: Leaving directory
>> `/home/michael/src/openldap2-dev/ldap/clients'
>> make: *** [all-common] Error 1
>>
>
>- On a secondary note: It's less than ideal for ud to be asking for a
>password to get a kerberos tgt. While there is no technical reason not
>to, going from password to tgt is where K4 gets ugly. Better to
>confine that nastiness to the kinit program that comes with the
>kerberos code than to try and duplicate it in ud. This is standard
>practice with most of the various unix kerberos clients such as telnet
>and rlogin.
>
>- Booker C. Bense

Follow-Ups:
- Re: OPENLDAP_REL_ENG_2 -> 2.0.8
  - From: "Booker C. Bense" <bbense@networking.stanford.edu>

References:
- Re: OPENLDAP_REL_ENG_2 -> 2.0.8
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: recent change to backend.c
Next by Date: Re: OPENLDAP_REL_ENG_2 -> 2.0.8
Index(es):
- Chronological
- Thread