[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSSAPI, multiple aliases

To: lukeh@padl.com
Subject: Re: GSSAPI, multiple aliases
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 23 Sep 2004 08:05:10 -0700
Cc: hyc@symas.com, matt.smith@uconn.edu, openldap-software@OpenLDAP.org
In-reply-to: <200409231441.i8NEfsI9092809@au.padl.com>
References: <1095700606.27010.91.camel@d80h243> <1095941946.4821.1.camel@d80h243> <4152C871.9040201@symas.com> <200409231441.i8NEfsI9092809@au.padl.com>

I note that in addition to the Kerberos details
being hidden by GSSAPI, the GSSAPI issues are
hidden by the SASL "GSSAPI" mechanism, and these
hidden by Cyrus SASL.  slapd(8) makes no Kerberos(*)
or GSSAPI library calls itself.

(Excepting old LDAPv2 kbind cruft, not used here.)

At 07:41 AM 9/23/2004, Luke Howard wrote:

>>OpenLDAP doesn't make any decision at all. By its nature, the internal 
>>workings of Kerberos are completely hidden behind the GSSAPI layer and 
>>OpenLDAP knows nothing about it. You should ask on a mailing list for 
>>your Kerberos implementation how a Kerberized server works; they all 
>>work the same (otherwise there would be no interoperability, would 
>>there...).
>
>IIRC the canonical hostname of the machine is used, at least with
>Heimdal (gethostbyname(gethostname()), for servers that don't acquire
>a specific credential before calling GSS_Accept_Sec_Context().
>
>-- Luke
>
>--

References:
- GSSAPI, multiple aliases
  - From: "Matthew J. Smith" <matt.smith@uconn.edu>
- Re: GSSAPI, multiple aliases
  - From: "Matthew J. Smith" <matt.smith@uconn.edu>
- Re: GSSAPI, multiple aliases
  - From: Howard Chu <hyc@symas.com>
- Re: GSSAPI, multiple aliases
  - From: Luke Howard <lukeh@padl.com>

Prev by Date: Re: GSSAPI, multiple aliases
Next by Date: Re: python-ldap says "Critical extension is unavailable" and "Internal (implementation specific) error"
Index(es):
- Chronological
- Thread