[Date Prev][Date Next]
Re: Kerberos 5 Support for OpenLDAP-release
On Wed, 22 Sep 1999, Kurt D. Zeilenga wrote:
> Booker Bense wrote:
> > On Wed, 22 Sep 1999, Kurt D. Zeilenga wrote:
> > > deprecate != purge necessarily...
> > > But considerring that the krb4 code is broken and no one has stepped
> > > forward to fix it...
> > - How is it broken? We use the Umich K4 ldap auth method extensively
> > here at stanford, I'd hate to see that disappear in the 2.0 release.
> > I can probably find enough tuits to fix any egregious bugs...
> ITS#109: Kerberos binds broke when clients moved to ldap_init()
- Well, here's what I've found so far. The kerberos code is attempting
to find the name of the host ( more or less ) at line 276 in kbind.c
krbinstance = ld->ld_defconn->lconn_krbinstance;
- Unfortunately, ld->ld_defconn is null at this point. What
krbinstance should be is the canonical hostname of the machine that
you want to connect to without the domain name. For example:
At stanford, directory.stanford.edu expands to
boron.stanford.edu which kerberos4 will truncate to boron.
( Kerberos 5 gets this right and doesn't require this kind
of truncation. ).
- I don't know enough of the logic of how ldap_init works to know
what the right thing to do here is. I think I could cobble up a patch
using ldo_defhost, but I'm not sure that's the correct thing to do.
I looked at ITS 268, and the more that I think about it the more
I'm convinced that the ticket has to be constructed after the
connection is opened. Yick this is messy.
- Booker C. Bense