[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: can I use a kerberos ticket with ldapsearch (and ldap libraries)

> -----Original Message-----
> From: Michael Torrie [mailto:torriem@cs.byu.edu]

> Thanks.  So far so good.  SASL is now working correctly.  I did a chmod
> a+r /etc/krb5.keytab and it works.  However this is not a good
> solution.  I guess one solution is to make a special group that I can
> put ldap in to access that file.  It's odd that there's no option to
> specify the keytab file... ;)

This is a limitation of the GSSAPI spec itself, the standard doesn't provide
an API for setting this option. The Heimdal library provides a function
"gsskrb5_register_acceptor_identity" for this purpose, but no one uses it
since it is not part of the GSSAPI standard. The MIT library is hardcoded to
use the system default keytab. Perhaps you should contact the authors of the
GSSAPI standard and lobby them to revise the spec to allow setting of
arbitrary mech-specific options to address this problem.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support