[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: can I use a kerberos ticket with ldapsearch (and ldap libraries)

To: hyc@highlandsun.com
Subject: RE: can I use a kerberos ticket with ldapsearch (and ldap libraries)
From: Luke Howard <lukeh@PADL.COM>
Date: Mon, 22 Apr 2002 23:52:48 +1000
Cc: torriem@cs.byu.edu, openldap-software@OpenLDAP.org
Organization: PADL Software Pty Ltd
Versions: dmail (bsd44) 2.4/makemail 2.9b

>This is a limitation of the GSSAPI spec itself, the standard doesn't provide
>an API for setting this option. The Heimdal library provides a function
>"gsskrb5_register_acceptor_identity" for this purpose, but no one uses it
>since it is not part of the GSSAPI standard. The MIT library is hardcoded to
>use the system default keytab. Perhaps you should contact the authors of the
>GSSAPI standard and lobby them to revise the spec to allow setting of
>arbitrary mech-specific options to address this problem.

With MIT, you can declare krb5_overridekeyname and set it to some
arbitary string. Pretty ugly, yes.

-- Luke

--
Luke Howard | lukehoward.com
PADL Software | www.padl.com

Prev by Date: Antwort: Re: Restrict Access to Hosts
Next by Date: inetLocalMailRecipient problem
Index(es):
- Chronological
- Thread