[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: back-ldap & GSSAPI

To: "'Quanah Gibson-Mount'" <quanah@stanford.edu>, <openldap-software@OpenLDAP.org>
Subject: RE: back-ldap & GSSAPI
From: "Howard Chu" <hyc@highlandsun.com>
Date: Mon, 15 Sep 2003 17:22:08 -0700
Importance: Normal
In-reply-to: <3738776.1063644055@cadabra.stanford.edu>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Quanah
> Gibson-Mount

> Hello,

> in reading the back-ldap man page, I don't see that it is
> possible to proxy
> via GSSAPI.  In the case I'm looking at, we'd have a machine
> running slapd,
> that would have its own authcId.  It would use that authcId
> when proxying
> requests to get the information it wants from our openldap
> servers.  Am I
> correct thinking this can't be done with back-ldap as it
> currently stands?

Not entirely sure of what you mean by proxying, since it has two different
meanings that may be relevant here. But I'm fairly sure the answer for 2.1 is
it can't be done.

back-ldap forwards requests using the same ID/credentials that it received.
This only works for simple binds. It could be made to work for other
mechanisms by way of the Proxy Authorization control. Perhaps this would be a
good feature to add in
a future release. Certainly I would prefer to see it behave this way; it
would make connection management much much simpler.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: back-ldap & GSSAPI
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- back-ldap & GSSAPI
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: back-ldap & GSSAPI
Next by Date: ntlm authentication for LDAP
Index(es):
- Chronological
- Thread