[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_sasl_interactive_bind_s

Just a quick clarification question:

I'm using: (1) OpenLDAP, (2) Heimdal Kerberos, and (3) Cyrus SASL.

I exist in realm CHILD1.EXAMPLE.COM <http://CHILD1.EXAMPLE.COM>, and the 
ldap directory is in CHILD2.EXAMPLE.COM <http://CHILD2.EXAMPLE.COM>, both of 
which trust PARENT.EXAMPLE.COM <http://PARENT.EXAMPLE.COM>.

I first use Heimdal Kerberos to log into
CHILD1.EXAMPLE.COM<http://CHILD1.EXAMPLE.COM>and save my credentials.

Now, at this point. Is it my responsibility to somehow traverse the realms 
from CHILD1 -> PARENT, PARENT -> CHILD2 with Heimdal Kerberos, or can I just 
call ldap_sasl_interactive_bind_s() at this point and expect it to traverse 
the realms for me?

Thanks,

- Jeremiah
inlovewithGod@gmail.com

On 9/16/05, Kurt D. Zeilenga <Kurt@openldap.org> wrote:
> 
> At 05:39 AM 9/16/2005, Jeremiah Martell wrote:
> >Thanks for the reply. However, my system is setup correctly for 
> cross-realm
> >authentication. I have another application that does it perfectly fine, 
> so
> >it's not how my system are setup.
> 
> You should get Cyrus SASL test programs working, then get
> ldapwhoami(1) working with SASL, then worry about your own
> programs. Discussions of the Cyrus SASL test programs should
> be taken to the Cyrus SASL mailing list.
> 
> >Anybody have any experience on how to correctly use
> >ldap_sasl_interactive_bind_s?
> 
> Yes. See ldapwhoami code in clients/tools.
> 
> >I know my "interact function" get's asked for
> >some values, and currently I return nothing. I've tried to return a valid
> >realm but it doesn't seem to get used (verified with ethereal). Any 
> ideas?
> 
> Because in Cyrus SASL the Kerberos realm in the Kerberos
> ticket is always used in the case of the GSSAPI mechanism.
> 
> As Dieter hinted, getting cross-realm authentication to work
> is not really specific to OpenLDAP Software. If you get the
> Cyrus SASL test programs working, one should be able to
> get every program (such as those in OpenLDAP Software) using
> Cyrus SASL should without significant hassle.
> 
> Kurt
> 
> 
> 
> >Thanks,
> >
> >- Jeremiah
> >inlovewithGod@gmail.com
> >
> >On 9/16/05, Dieter Kluenter <dieter@dkluenter.de> wrote:
> >>
> >> Jeremiah Martell <inlovewithgod@gmail.com> writes:
> >>
> >> > Hello,
> >> >
> >> > Is there any documentation on this function? I'm able to get openldap 
> to
> >> > successfully use this function to authenticate to a ldap directory 
> with
> >> > SASL/GSSAPI when my kerberos credentials and the ldap directory are 
> in
> >> the
> >> > same realm. But when my credentials and the ldap directory are in
> >> different
> >> > realms, it's failing. I'm not sure what to pass this function to make
> >> > multi-realm logins work. Any ideas?
> >>
> >> This is a kerberos related question. Set up your system to cross realm
> >> authentication and two way trust relation.
> >>
> >> -Dieter
> >>
> >> --
> >> Dieter Klünter | Systemberatung
> >> http://www.dkluenter.de
> >> GPG Key ID:8EF7B6C6
> >>
> >>
> 
>