[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL/GSSAPI with multiple Kerberos realms?

To: "'Allan Streib'" <astreib@indiana.edu>, "'Stephen Frost'" <sfrost@snowman.net>
Subject: RE: SASL/GSSAPI with multiple Kerberos realms?
From: "Howard Chu" <hyc@highlandsun.com>
Date: Fri, 21 Feb 2003 14:31:16 -0800
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <8E9C0818-45D4-11D7-889E-000393033826@indiana.edu>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Allan Streib

> OK next suggestion from the Kerberos admin is to have an ldap service
> principal in both realms, and have both keys in the keytab
> file on the ldap server.

This is an absolute requirement. The server and client must both have
credentials in a common realm. If you can't use cross-realm authentication to
put them both in the same realm, then the server must exist in both realms.
>
> BUT I think that sasl-realm in slapd.conf allows only one value; is
> this the case?

Irrelevant. Kerberos does its own realm name management, sasl-realm only
affects DIGEST-MD5 and other mechs that don't support distributed
authentication.

> If I ran another slapd with a slapd.conf specifying the other realm,
> could it look at the same db (the access to the other realm does not
> need to allow updates) without getting confused?  This is openldap
> 2.0.27.

No.


  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- Re: SASL/GSSAPI with multiple Kerberos realms?
  - From: Allan Streib <astreib@indiana.edu>

Prev by Date: Re: openldap on Tru54 Unix 5.1
Next by Date: Re: SSL/TLS and PRNGD
Index(es):
- Chronological
- Thread