[Date Prev][Date Next]
Just a quick clarification question:
I'm using: (1) OpenLDAP, (2) Heimdal Kerberos, and (3) Cyrus SASL.
I exist in realm CHILD1.EXAMPLE.COM <http://CHILD1.EXAMPLE.COM>, and the
ldap directory is in CHILD2.EXAMPLE.COM <http://CHILD2.EXAMPLE.COM>, both of
which trust PARENT.EXAMPLE.COM <http://PARENT.EXAMPLE.COM>.
I first use Heimdal Kerberos to log into
CHILD1.EXAMPLE.COM<http://CHILD1.EXAMPLE.COM>and save my credentials.
Now, at this point. Is it my responsibility to somehow traverse the realms
from CHILD1 -> PARENT, PARENT -> CHILD2 with Heimdal Kerberos, or can I just
call ldap_sasl_interactive_bind_s() at this point and expect it to traverse
the realms for me?
On 9/16/05, Kurt D. Zeilenga <Kurt@openldap.org> wrote:
> At 05:39 AM 9/16/2005, Jeremiah Martell wrote:
> >Thanks for the reply. However, my system is setup correctly for
> >authentication. I have another application that does it perfectly fine,
> >it's not how my system are setup.
> You should get Cyrus SASL test programs working, then get
> ldapwhoami(1) working with SASL, then worry about your own
> programs. Discussions of the Cyrus SASL test programs should
> be taken to the Cyrus SASL mailing list.
> >Anybody have any experience on how to correctly use
> Yes. See ldapwhoami code in clients/tools.
> >I know my "interact function" get's asked for
> >some values, and currently I return nothing. I've tried to return a valid
> >realm but it doesn't seem to get used (verified with ethereal). Any
> Because in Cyrus SASL the Kerberos realm in the Kerberos
> ticket is always used in the case of the GSSAPI mechanism.
> As Dieter hinted, getting cross-realm authentication to work
> is not really specific to OpenLDAP Software. If you get the
> Cyrus SASL test programs working, one should be able to
> get every program (such as those in OpenLDAP Software) using
> Cyrus SASL should without significant hassle.
> >- Jeremiah
> >On 9/16/05, Dieter Kluenter <firstname.lastname@example.org> wrote:
> >> Jeremiah Martell <email@example.com> writes:
> >> > Hello,
> >> >
> >> > Is there any documentation on this function? I'm able to get openldap
> >> > successfully use this function to authenticate to a ldap directory
> >> > SASL/GSSAPI when my kerberos credentials and the ldap directory are
> >> the
> >> > same realm. But when my credentials and the ldap directory are in
> >> different
> >> > realms, it's failing. I'm not sure what to pass this function to make
> >> > multi-realm logins work. Any ideas?
> >> This is a kerberos related question. Set up your system to cross realm
> >> authentication and two way trust relation.
> >> -Dieter
> >> --
> >> Dieter Klünter | Systemberatung
> >> http://www.dkluenter.de
> >> GPG Key ID:8EF7B6C6