[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: FW: programming using ldap api calls

To: "Ang, Melissa" <MAng@axsone.com>
Subject: RE: FW: programming using ldap api calls
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 09 Apr 2004 08:38:03 -0700
Cc: "Ang, Melissa" <MAng@axsone.com>, "Openldap Ldap Server (E-mail)" <openldap-software@OpenLDAP.org>
In-reply-to: <8B508C0CF15D4F4D82C9EA3B67B5274CECD311@corpmx1.ctronsoft.c om>
References: <8B508C0CF15D4F4D82C9EA3B67B5274CECD311@corpmx1.ctronsoft.com>

I think you need to separate protocol design from implementation
specific issues.

In LDAPv3 (as specified today), Kerberos V authentication is
provided through SASL by the SASL "GSSAPI" mechanism
which is, as the name implies, a GSSAPI-based SASL mechanism.

The OpenLDAP LDAP library can be built with support for the
"GSSAPI" mechanism.  That support requires not only Cyrus SASL,
but Cyrus SASL built with its implementation of the SASL
"GSSAPI" mechanism, which in turn requires a GSSAPI and Kerberos
libraries, such as those provided in Heimdal Kerberos.

OpenLDAP LDAP library is designed such that the application can
itself provide the implementation of any SASL mechanism it
desires.  For instance, one can implement their own "EXTERNAL"
mechanism instead of using the implementation provided by
LDAP library through Cyrus SASL.  This is done through use
of ldap_sasl_bind(3) calls.  But whether it makes sense to
do so, especially for complex mechanisms such as "GSSAPI", is
another matter.

Kurt

At 07:12 AM 4/9/2004, Ang, Melissa wrote:
>I have a new idea! :D is it possible then not to use gssapi and then use kerberos api calls with the ldap api calls (without sasl) no offense to sasl of course. I just don't want to build any extra source if we can get away without it. any samples on how to do kerberos api and ldap api calls is much appreciated. 
>
>thanks all!
>
>-----Original Message-----
>From: owner-openldap-software@OpenLDAP.org
>[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Ang, Melissa
>Sent: Friday, April 09, 2004 9:59 AM
>To: Kurt D. Zeilenga
>Cc: Openldap Ldap Server (E-mail)
>Subject: RE: FW: programming using ldap api calls
>
>
>hello again folks! 
>
>so there is no work around to programming with openldap api calls without the sasl library? It is possible to do so by implementing the lower level calls right? Which lower level API calls is this? is this the gss API calls? since SASL sits on top of this layer?
>
>example: 
>
>gss_init_sec_context(....)
>...
>..
>ldap_bind (.., cred,..)
>where cred is the credential created by gss api calls?
>
>is this feasible?
>
>thanks again for the help. :)
>
>
>
>-----Original Message-----
>From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
>Sent: Thursday, April 08, 2004 4:33 PM
>To: Ang, Melissa
>Cc: Openldap Ldap Server (E-mail)
>Subject: RE: FW: programming using ldap api calls
>
>
>At 01:19 PM 4/8/2004, Ang, Melissa wrote:
>>ldap can only talk to gssapi through sasl? isn't gssapi a lower level protocol. is it possible to directly use gssapi without having to implement sasl?
>
>In the LDAP (and SASL) context, the term "GSSAPI" refers to a
>particular SASL mechanism, which is a Kerberos V GSSAPI mechanism,
>identified by the token "GSSAPI".  SASL supports a number of other
>GSSAPI mechanisms, they are identified by other tokens.
>
>It certainly possible to design a LDAP bind method (or a SASL
>mechanism) which supported multiple GSSAPI mechanisms, but that
>just isn't how its done today.
>
>Kurt

References:
- RE: FW: programming using ldap api calls
  - From: "Ang, Melissa" <MAng@axsone.com>

Prev by Date: Re: Another paged result question
Next by Date: Re: Another paged result question
Index(es):
- Chronological
- Thread