Re: custom LDAP client with kerberos

["Jeff Greer" <jgreer@fdusa.com>]

Thanks much for you reply Kurt.

Here is the next set of questions.

Do both the client and the server have to support SASL with GSSAPI or is that only required for the client?

Does the user's password ever get sent to the server? My guess is that it should not since the kerberos libraries
should do the password authentication.

Does a kinit have to proceed the authentication attempt by the client or does the ldap_sasl_bind_s take care of that?

And lastly, since my client has to be able to decide the bind type at run time I am assuming that my code must take
that into consideration and decide which bind to use; ldap_bind_s or ldap_sasl_bind_s. Is my assumption correct?


Kurt D. Zeilenga said:
> At 08:11 AM 2/5/2003, Jeff Greer wrote:
>>Is it required to have SASL support complied in to be able to use any of the kerberos bind types?
>
> No, but you need to realize that these bind mechanisms are for
> LDAPv2 (deprecated) and KerberosV4 (deprecated).   The standard
> way to do LDAPv3 KerberosV5 authentication by using the
> SASL/GSSAPI mechanism.
>
> Kurt


--
Jeff Greer
Technical Support Consultant
Fretwell-Downing, Inc.
Phone: (913) 239-1214

The information transmitted in this electronic mail message may contain
confidential and or privileged materials.  For full details and restrictions
see http://www.fdgroup.com/emaildisclaimer.html