[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question on bind using Kerberos Service Ticket.

Thanks for the reply Howard, if i can further clarify what you mean is that given the ldap_sasl_bind fucntion prototype below : 

 LDAP   *ld,
 LDAP_CONST char *dn,
 LDAP_CONST char *mechanism,
 struct berval *cred,
 LDAPControl  **sctrls,
 LDAPControl  **cctrls,
 int    *msgidp )
i first call the Kerberos authentication functions to get the service ticket to the ldap server. Next i can simply use the above fuction specifying mechanism as "GSSAPI" and pointing cred to the Kerberos service ticket i just got ?
If this is right the ldap server will just verify the service ticket and send back the response for the fucntion to return success.
Is there anything else i need to take care of ?

On 11/26/07, Howard Chu <hyc@symas.com> wrote:
Austin Cherian wrote:
> Hi,
>    Im quite new to Openldap and am searching for answers to some
> questions on a particular case i have, i'd be glad if some one could
> help me out on this particular topic.
> I have a situation where i have to perform an LDAP bind to a given
> LDAP server with only being provided a service ticket to that
> particular LDAP server and nothing else, i have already explored the
> possibility of using SASL authentication method with GSSAPI as the
> mechanism, however i guess the GSSAPI mechanism takes user credentials
> as input and moves through the Kerberos protocol to finally provide
> the LDAP server with the service ticket.

Wrong. The GSSAPI mechanism does exactly what you're looking for.
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/