[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP_OPT_X_SASL_AUTHCID and LDAP_OPT_X_SASL_AUTHZID



Philip Guenther wrote:
> On Sat, 15 Aug 2009, Michael Ströder wrote:
> ...
>> I was hoping to find a SASL option to query the Kerberbos principal name 
>> actually used after a successful SASL/GSSAPI bind.
> 
> Are you trying to ask a purely local question or is the server's opinion 
> of what authorization ID you actually ended up with relevant?

Local.

> For the latter, try ldap_whoami() or ldap_whoami_s().

Yes, that's already used in web2ldap for servers which implement it.

But if that's not available (e.g. on MS AD W2K3 and it's almost useless in
W2K8) I'm conducting a reverse lookup with a search request. So if bound by
SASL/GSSAPI I'd search with a filter template like this:

(|(userPrincipalName=%s)(krb5PrincipalName=%s)(krbPrincipalName=%s))

For other SASL methods other filters are used.

> Does cyrus-sasl even provide a means to get the authentication ID used?

That's exactly the question...

Ciao, Michael.