kerberos programming and ldap

Russ Allbery rra at stanford.edu
Wed Apr 14 15:35:27 EDT 2004


melissa benkyo <wyl_lyf at yahoo.com> writes:

> Hello!!! thanks for all the inputs. :) okay here's the thing.
> I have the following:
> iplanet C-sdk
> SEAM 
> solaris 8 machine
> active directory ldap server

> All of them are already built. How do I use the cyrus sasl in this
> case? Do I need to recompile anything from the above list or just
> compile sasl and feed it the SEAM keroberos.

According to:

    <http://docs.sun.com/source/816-5578-10/security.htm>

the iPlanet directory server does not support GSSAPI authentication at
all.  This probably means that their client libraries don't support it
either.  You probably want better client libraries; the OpenLDAP client
libraries are excellent.  I could be wrong on this, though.

> why do we need sasl for ldap? Can't we use the gssapi calls then bind
> using the credentials obtained from gssapi? I'm still confused on the
> usage of the sasl. I cant seem to connect them.

What you seem to be missing is that SASL *is* how LDAP supports GSSAPI
authentication.  SASL is a network protocol for supporting authentication
mechanisms.  GSSAPI is one of the authentication mechanisms that it
supports.

What you're asking is, to me, sort of like asking why you have to use LDAP
at all and why you can't do GSSAPI authentication directly to the
directory database.  You use SASL to do authentication because SASL is how
LDAP v3 does authentication.  See RFC 2251:  LDAP only supports two types
of authentication, simple (which is just a password) and SASL.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list