RE: OpenLdap + Cyrus SASL + MIT Kerberos credentials cache

[Petar Kovačević <petar.kovacevic@pstech.rs>]

Hi,

Is it possible to use in memory credentials cache to store TGT, or it has be in file?

Best Regards,
Petar Kovacevic
________________________________________
From: Howard Chu [hyc@symas.com]
Sent: Monday, January 25, 2016 3:37 PM
To: Petar Kovačević; openldap-technical@openldap.orgte
Subject: Re: OpenLdap + Cyrus SASL + MIT Kerberos credentials cache

Petar Kovačević wrote:
> Hi All,
>
> I’m working on Windows application that uses libldap built with cyrus sasl and
> MIT Kerberos and I’m having issues with Kerberos authentication on AD.
>
> I have tested with various applications and Kerberos is working properly on
> server.
>
> In my app I’m using ldap_sasl_interactive_bind_s(mLdapObj, NULL, "GSSAPI",
> NULL, NULL, LDAP_SASL_INTERACTIVE, my_ldap_sasl_interact, defaults) in order
> to bind with server, but I get error -2 (Local error).
>
> I have debugged the app and I have found that there is an issue with Keberos
> Credentials Cache.  Because I haven’t set credentials cache location, Kerberos
> reads this location from KRB5CCNAME environment variable.
>
> So my first question is : Is there any API in libldap, so we can set our own
> contact cache location?

No.

> But even when I set this variable, I get same error when I try to bind. After
> some more debugging I found that Kerberos expects that I already have
> credentials cache file created, and that there is a ticket in it(as a I have
> called kinit before bind).
>
> Is there an API in libldap, that will call Kerberos API for credentials cache
> and ticket obtaining operations, which we can call before bind, or we need to
> call Kerberos API directly ?

You are expected to have a TGT already.

--
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/