client-side support for SASL/GSSAPI on windows?
denis.havlik@t-mobile.at
denis.havlik at t-mobile.at
Tue Apr 13 07:40:31 EDT 2004
Hi, folks
I've tested the openLDAP+MIT kerberos+SASL/GSSAPI on Linux (and I'm quite
happy with it), but I'll need the client-side support on the windows side
as well. Anyone knows of some good online docs that explain what has to be
done on the windows side?
For instance, there is apparently no stable SASL for windows
(http://asg.web.cmu.edu/cyrus/download/sasl/windows.html), so what's used
for SASL/GSSAPI? :-)
Closely related: I want to set up windows AD controller in such a way that
the password for all users is checked against MIT kerberos KDC.
Now, windows machines have a built-in support for kerberos, and that's all
that's needed for login purpose. Do I still need to install
MIT kerberos 4 Windows on all the windows client machines, or not?
thx
Denis
--
T-Mobile Austria GmbH,
Information Technologies / Services
Knowledge Management & Process Automation
Dr. Denis Havlik, eMail:
denis.havlik at t-mobile.at
Rennweg 97-99, BT2E0304031 Phone: +43-1-79-585/6237
A-1030 Vienna Fax:
+43-1-79-585/65844From wyllys.ingersoll at sun.com Tue Apr 13 07:50:36 2004
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3DBoaos000349
for <kerberos at PCH.mit.edu>; Tue, 13 Apr 2004 07:50:36 -0400 (EDT)
Received: from nwkea-mail-1.sun.com (nwkea-mail-1.sun.com [192.18.42.13])
i3DBoZKk020902
for <kerberos at MIT.EDU>; Tue, 13 Apr 2004 07:50:35 -0400 (EDT)
Received: from jurassic.eng.sun.com ([129.146.82.166])
by nwkea-mail-1.sun.com (8.12.10/8.12.9) with ESMTP id i3DBoY6N014755;
Tue, 13 Apr 2004 04:50:34 -0700 (PDT)
Received: from sun.com (punchin-wyllys.SFBay.Sun.COM [192.9.61.32])
i3DBoXcs989588; Tue, 13 Apr 2004 04:50:33 -0700 (PDT)
Message-ID: <407BD3FC.1060905 at sun.com>
Date: Tue, 13 Apr 2004 07:50:20 -0400
From: Wyllys Ingersoll <wyllys.ingersoll at sun.com>
User-Agent: Mozilla Thunderbird 0.5 (X11/20040212)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: melissa_benkyo <wyl_lyf at yahoo.com>
References: <304f3217.0404121340.5c26676f at posting.google.com>
In-Reply-To: <304f3217.0404121340.5c26676f at posting.google.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: kerberos at mit.edu
Subject: Re: kerberos programming and ldap
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Tue, 13 Apr 2004 11:50:36 -0000
Melissa -
With Solaris 8 and SEAM, you can use the SASL-GSSAPI mechanism.
SEAM does not expose the core Kerberos API to user's but does have a fully
functional GSSAPI implementation that should work with Cyrus SASL.
Also, SASL support will likely be supported and included in an upcoming
Solaris release as well. You can download and preview the "Solaris
Express"
releases to try it out if you like (follow links from www.sun.com).
-Wyllys
melissa_benkyo wrote:
>Hi brian,
>
>thanks for the info. I guess, I'm looking for a way not to use cyrus
>if possible cause I'm not sure how to use it with SEAM? :D I'm going
>to be using the native SEAM on solaris. Do I need to install it again
>if I were to enable it to use cyrus? There are actually more parts
>involved like SEAM, iplanet, and cyrus. I don't know how to make
>iplanet use cyrus and SEAM?
>
>any inputs are much appreciated. thanks for the help, guys.
>
>making my life complicated,
>melissa :D
>
>
>
>bdavids1 at gmu.edu (Brian Davidson) wrote in message news:<82570D7F-8CA8-11D8-8346-000393CCB774 at gmu.edu>...
>
>
>>On Apr 12, 2004, at 9:38 AM, melissa_benkyo wrote:
>>
>>
>>
>>>hello!!! thanks for the resposnse I was hoping not to use SASL since
>>>this means that it is a third party software. I was planning on using
>>>the native protocols available to the OS such as the ldap and the
>>>kerberos. Do u know how to use the kerberos with ldap? so is it not
>>>possible now to use kerberos directly with ldap since this is a LDAP
>>>v3?
>>>
>>>thanks so much for the help. :)
>>>
>>>
>>Melissa,
>>
>>For ease of deployment, and future-proofing what you are trying to do,
>>I suspect you will find that SASL is actually a better route to go.
>>Non-SASL kerberos authentication support in LDAP clients is rare -- I'm
>>not aware of any clients that support it. But, there are a lot of LDAP
>>clients which do support kerberos authentication via SASL.
>>
>>You could modify OpenLDAP to directly support kerberos (instead of via
>>SASL), but why re-invent the wheel? A nice standards based way to do
>>what you're trying to do already exists. You could get cyrus-sasl, or
>>something similar, up and running in less time than it would take you
>>to develop a customized, non-standard ldap client, server and library.
>>
>>Brian Davidson
>>George Mason University
>>
>>________________________________________________
>>Kerberos mailing list Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>________________________________________________
>Kerberos mailing list Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
More information about the Kerberos
mailing list