Re: Question on bind using Kerberos Service Ticket.

["Austin Cherian" <austin.cherian@gmail.com>]

Thanks for the reply Howard, if i can further clarify what you mean is that given the ldap_sasl_bind fucntion prototype below : 

ldap_sasl_bind(
 LDAP   *ld,
 LDAP_CONST char *dn,
 LDAP_CONST char *mechanism,
 struct berval *cred,
 LDAPControl  **sctrls,
 LDAPControl  **cctrls,
 int    *msgidp )

 

 

i first call the Kerberos authentication functions to get the service ticket to the ldap server. Next i can simply use the above fuction specifying mechanism as "GSSAPI" and pointing cred to the Kerberos service ticket i just got ?

 

If this is right the ldap server will just verify the service ticket and send back the response for the fucntion to return success.

 

Is there anything else i need to take care of ?

 

 

 

 

 

On 11/26/07, Howard Chu <hyc@symas.com> wrote:

Austin Cherian wrote:
> Hi,
>    Im quite new to Openldap and am searching for answers to some
> questions on a particular case i have, i'd be glad if some one could
> help me out on this particular topic.
>
> I have a situation where i have to perform an LDAP bind to a given
> LDAP server with only being provided a service ticket to that
> particular LDAP server and nothing else, i have already explored the
> possibility of using SASL authentication method with GSSAPI as the
> mechanism, however i guess the GSSAPI mechanism takes user credentials
> as input and moves through the Kerberos protocol to finally provide
> the LDAP server with the service ticket.

Wrong. The GSSAPI mechanism does exactly what you're looking for.
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/