unable to authenticate using active directory/mit kfw 2.5 and netscape sdk

Vikas Gandhi vgandhi at quark.co.in
Sat Mar 13 08:03:41 EST 2004 

Hi All

FYI: Current I am using netscape 3 c-sdk and have compiled them in
windows/solaris.


  First I give some very basic understanding of what I am trying to
achieve. Its a SSO (Single Sign on) project where our servers may be
running on MAX OSX, SUN, Windows and the underlying db for
users/acl(access control list) storage shall be LDAP. The directory
server should be closable between DS/OpenLDAP/Ad/NDS.

Question 1: The first question arises about is choosing way of
authentication. Almost all the authentication mechanisms are
independent of DS unless u decide to store passwords in the DS itself.
The only exception is Microsoft's AD which has blended kdc with AD .
Now the choice drills down to choosing mechnism. I have choosen
GSSAPI/Kerberos 5. Now I have to support all of them.
SEAM/MIT/HEMIDAL/AD kdc for all the respective platforms.

 After some study I found that SASL was the answer. As we have to
choose a pluggable module for authentication so that even if we have
to involve any third part auth-mechanism we should not face any
problems.

But the fundamental question arises. 

 
Approach :   clientapp --> LDAP/SASL/GSSAPI --> KDC --> Tickets

I think thru ldap_sasl_bind via SASL only. As I understand in this
approach we shall be involving ldap_sasl_bind sort of thing thru SASL
and shall pass the password along with user dn and other details. I
think this should be same as ldapclient mechanism where I do kinit and
then do all the search. i.e. the ticket is used to ldap operations.
LDAP(DS) just becomes another service in the kerberos domain and once
authenticated can do all the ldap operations. Now for my application
when a person logs on to the windows/mac client, he gets his tgt and
passes the same for authentication via sasl/ldap using netscape c-sdk
library.

Am I wrong in this thought or not ????

 

Question2: Next part of the question is if I want to use SASL/LDAP
with Directory Server Does it matter which SASL implementations are u
using

 

 

Question3: For the scenario described above I have chosen SASL
implementation using netscape sdk. I have tried this in Solaris and
have succeeded. I tested with SEAM/Directory Server 5.2 and AD
implemented using Luke Padl samples implementations for
authentications and found that it was successful (attached
libgssldap.c).

 I then ported this to windows using kfw2.5 and failed to run the
samples

May Be (MS uses SSPI to fetch Microsoft credentials from the LSA
(Windows version of credentials cache) while and then kfw 2.5 uses
GSSAPI and has its own credential caches)

 

Question4: I have attached both the files libgssldap.c and test.c
which I tested in Solaris 9 and was successful. Is this the way to use
GSSAPI/kerberos 5 via LDAP. I am confused ??????

 

Question5: If feasible can u guide what can be done in the case of
windows ???? Is netscape c-sdk is the right choice. I feel yes.

 

Question6: I have been unable to find any samples using
gssapi/kerberos examples and using c-sdk except luke padl examples
which runs only in UNIX based systems. Where can I find one simple
sample using gssapi/kerberos/sasl in windows????

 

 

Regards

Vikas

More information about the Kerberos mailing list