[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLdap + Cyrus SASL + MIT Kerberos credentials cache



Petar Kovačević wrote:
Hi All,

I’m working on Windows application that uses libldap built with cyrus sasl and
MIT Kerberos and I’m having issues with Kerberos authentication on AD.

I have tested with various applications and Kerberos is working properly on
server.

In my app I’m using ldap_sasl_interactive_bind_s(mLdapObj, NULL, "GSSAPI",
NULL, NULL, LDAP_SASL_INTERACTIVE, my_ldap_sasl_interact, defaults) in order
to bind with server, but I get error -2 (Local error).

I have debugged the app and I have found that there is an issue with Keberos
Credentials Cache.  Because I haven’t set credentials cache location, Kerberos
reads this location from KRB5CCNAME environment variable.

So my first question is : Is there any API in libldap, so we can set our own
contact cache location?

No.

But even when I set this variable, I get same error when I try to bind. After
some more debugging I found that Kerberos expects that I already have
credentials cache file created, and that there is a ticket in it(as a I have
called kinit before bind).

Is there an API in libldap, that will call Kerberos API for credentials cache
and ticket obtaining operations, which we can call before bind, or we need to
call Kerberos API directly ?

You are expected to have a TGT already.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/