client-side support for SASL/GSSAPI on windows?

denis.havlik@t-mobile.at denis.havlik at t-mobile.at
Tue Apr 13 07:40:31 EDT 2004


Hi, folks

I've tested the openLDAP+MIT kerberos+SASL/GSSAPI on Linux (and I'm quite 
happy with it), but I'll need the client-side support on the windows side 
as well. Anyone knows of some good online docs that explain what has to be 
done on the windows side?

For instance, there is apparently no stable SASL for windows 
(http://asg.web.cmu.edu/cyrus/download/sasl/windows.html), so what's used 
for SASL/GSSAPI? :-)

Closely related: I want to set up windows AD controller in such a way that 
the password for all users is checked against MIT kerberos KDC. 

Now, windows machines have a built-in support for kerberos, and that's all 
that's needed for login purpose. Do I still need to install 
MIT kerberos 4 Windows on all the windows client machines, or not? 

thx
        Denis
--
T-Mobile Austria GmbH,
Information Technologies / Services
Knowledge Management & Process Automation

Dr. Denis Havlik,                                   eMail: 
denis.havlik at t-mobile.at
Rennweg 97-99, BT2E0304031        Phone: +43-1-79-585/6237 
A-1030 Vienna                                        Fax: 
+43-1-79-585/65844From wyllys.ingersoll at sun.com Tue Apr 13 07:50:36 2004
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3DBoaos000349
	for <kerberos at PCH.mit.edu>; Tue, 13 Apr 2004 07:50:36 -0400 (EDT)
Received: from nwkea-mail-1.sun.com (nwkea-mail-1.sun.com [192.18.42.13])
	i3DBoZKk020902
	for <kerberos at MIT.EDU>; Tue, 13 Apr 2004 07:50:35 -0400 (EDT)
Received: from jurassic.eng.sun.com ([129.146.82.166])
	by nwkea-mail-1.sun.com (8.12.10/8.12.9) with ESMTP id i3DBoY6N014755;
	Tue, 13 Apr 2004 04:50:34 -0700 (PDT)
Received: from sun.com (punchin-wyllys.SFBay.Sun.COM [192.9.61.32])
	i3DBoXcs989588;	Tue, 13 Apr 2004 04:50:33 -0700 (PDT)
Message-ID: <407BD3FC.1060905 at sun.com>
Date: Tue, 13 Apr 2004 07:50:20 -0400
From: Wyllys Ingersoll <wyllys.ingersoll at sun.com>
User-Agent: Mozilla Thunderbird 0.5 (X11/20040212)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: melissa_benkyo <wyl_lyf at yahoo.com>
References: <304f3217.0404121340.5c26676f at posting.google.com>
In-Reply-To: <304f3217.0404121340.5c26676f at posting.google.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: kerberos at mit.edu
Subject: Re: kerberos programming and ldap
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Tue, 13 Apr 2004 11:50:36 -0000


Melissa -
   With Solaris 8 and SEAM, you can use the SASL-GSSAPI mechanism. 
SEAM does not expose the core Kerberos API to user's but does have a fully 
functional GSSAPI implementation that should work with Cyrus SASL. 

Also,  SASL support will likely be supported and included in an upcoming
Solaris release as well.  You can download and preview the "Solaris 
Express"
releases to try it out if you like (follow links from www.sun.com).

-Wyllys

melissa_benkyo wrote:

>Hi brian,
>
>thanks for the info. I guess, I'm looking for a way not to use cyrus
>if possible cause I'm not sure how to use it with SEAM? :D I'm going
>to be using the native SEAM on solaris. Do I need to install it again
>if I were to enable it to use cyrus? There are actually more parts
>involved like SEAM, iplanet, and cyrus. I don't know how to make
>iplanet use cyrus and SEAM?
>
>any inputs are much appreciated. thanks for the help, guys.
>
>making my life complicated, 
>melissa :D
>
>
>
>bdavids1 at gmu.edu (Brian Davidson) wrote in message news:<82570D7F-8CA8-11D8-8346-000393CCB774 at gmu.edu>...
>  
>
>>On Apr 12, 2004, at 9:38 AM, melissa_benkyo wrote:
>>
>>    
>>
>>>hello!!! thanks for the resposnse I was hoping not to use SASL since
>>>this means that it is a third party software. I was planning on using
>>>the native protocols available to the OS such as the ldap and the
>>>kerberos. Do u know how to use the kerberos with ldap? so is it not
>>>possible now to use kerberos directly with ldap since this is a LDAP
>>>v3?
>>>
>>>thanks so much for the help. :)
>>>      
>>>
>>Melissa,
>>
>>For ease of deployment, and future-proofing what you are trying to do, 
>>I suspect you will find that SASL is actually a better route to go.  
>>Non-SASL kerberos authentication support in LDAP clients is rare -- I'm 
>>not aware of any clients that support it.  But, there are a lot of LDAP 
>>clients which do support kerberos authentication via SASL.
>>
>>You could modify OpenLDAP to directly support kerberos (instead of via 
>>SASL), but why re-invent the wheel?  A nice standards based way to do 
>>what you're trying to do already exists.  You could get cyrus-sasl, or 
>>something similar, up and running in less time than it would take you 
>>to develop a customized, non-standard ldap client, server and library.
>>
>>Brian Davidson
>>George Mason University
>>
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>    
>>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>
>  
>



More information about the Kerberos mailing list