[Date Prev][Date Next]
Kerberos V support in OpenLDAP
I notice that OpenLDAP 1.1 will include Kerberos V support.
FYI, I took the DCE GSS-API patches for UMich (from Chris Mason at RIT, if I
remember the name correctly) and got it to compile with the Kerberos V
GSS-API. I lost the patches, unfortunately, but they might be floating
The correct way (which might have to wait for OpenLDAP 2.0) will be to
implement the GSS-API SASL mechanism. We've done this for Netscape's
Directory Server, and it's fairly trivial (assuming you have a generalized
means of supporting additional SASL mechanisms).
The issues that needed clarification were the GSS-API service name for LDAP
(the consensus is apparently "ldap") and the means of mapping authentication
identities (ie. Kerberos principals) into directory entries (at the moment,
we're using the UMich kerberosSecurityObject auxiliary class).