[Date Prev][Date Next]
RE: kerberos authentication disables normal operation?
Yes, I used to use this format ldap/host@REALM while passing it to gss_import_name() with the type GSS_C_NT_HOSTBASED_SERVICE in my Solaris 8 machine. However once I tried to integrate with MIT kerberos API to get TGT, I need to use MIT's GSSAPI as well to resolve some library conflict and MIT's GSSAPI doesn't have GSS_C_NT_HOSTBASED_SERVICE defined so that I use gss_nt_service_name instead. The consequence of this is that I need to use this format ldap@realm_name instead.
The odd thing is it all works fine during the authentication phase without any error returns, it just couldn't return entries while doing the search, however it still returns normally without any errors.
From: Dieter Kluenter [mailto:email@example.com]
Sent: Friday, June 20, 2003 12:28 AM
Subject: Re: kerberos authentication disables normal operation?
> I tried to use LDAP SDK to connect to AD, the odd thing is if
> I adopts simple authentication by using ldap_simple_bind_s() then I
> can search, compare, ..etc. However if I use kerberos authentication
> by using GSS-API and ldap_sasl_bind_s(), it would pass the
> authentication phase however while doing the search, no entry was
> returned even though the criteria are the same as simple
> authentication one. Here in Kerberos authentication I use
> "ldap@realm_name" as the service name.
You should create a 'service/host@REALM' principal. That is
Dieter Kluenter | Systemberatung
Tel:040.64861967 | Fax: 040.64891521