[Date Prev][Date Next]
RE: OpenLdap + Cyrus SASL + MIT Kerberos credentials cache
Is it possible to use in memory credentials cache to store TGT, or it has be in file?
From: Howard Chu [firstname.lastname@example.org]
Sent: Monday, January 25, 2016 3:37 PM
To: Petar Kovačević; email@example.com
Subject: Re: OpenLdap + Cyrus SASL + MIT Kerberos credentials cache
Petar Kovačević wrote:
> Hi All,
> I’m working on Windows application that uses libldap built with cyrus sasl and
> MIT Kerberos and I’m having issues with Kerberos authentication on AD.
> I have tested with various applications and Kerberos is working properly on
> In my app I’m using ldap_sasl_interactive_bind_s(mLdapObj, NULL, "GSSAPI",
> NULL, NULL, LDAP_SASL_INTERACTIVE, my_ldap_sasl_interact, defaults) in order
> to bind with server, but I get error -2 (Local error).
> I have debugged the app and I have found that there is an issue with Keberos
> Credentials Cache. Because I haven’t set credentials cache location, Kerberos
> reads this location from KRB5CCNAME environment variable.
> So my first question is : Is there any API in libldap, so we can set our own
> contact cache location?
> But even when I set this variable, I get same error when I try to bind. After
> some more debugging I found that Kerberos expects that I already have
> credentials cache file created, and that there is a ticket in it(as a I have
> called kinit before bind).
> Is there an API in libldap, that will call Kerberos API for credentials cache
> and ticket obtaining operations, which we can call before bind, or we need to
> call Kerberos API directly ?
You are expected to have a TGT already.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/