kerberos authentication doesn't work agsint windows 2003 AD...

brian.joh@comcast.net brian.joh at comcast.net
Tue Aug 30 11:23:23 EDT 2005


SASL and the GSS-API are not easy to use.  They seem
overly complicated to me, and the documentation is
confusing.  I could only get them working by looking
at sample code.  I first looked at some Samba code,
but decided not to go that route.  Openldap
distributes a sample LDAP program which demonstrates
SASL/GSSAPI using the ldap_sasl_interactive_bind_s()
call.  I based my code off of that, because it has the
added benefit of not requiring the user to know their
LDAP DN (pass the username as something like
"someone at SOMEWINDOWSDOMAIN.COM").

Also, after you have binded you will obviously
perform other LDAP requests such as searches.
Sometimes, AD refers (redirects) these requests to
other LDAP servers (or the same server with a
different principal name).  If this happens, you also
need to set a rebind procedure with
ldap_set_rebind_proc().  This rebind procedure is a
callback function you define to supposedly bind to
any "referred" servers.  However, while messing
around with it, I noticed if you make your
rebind_proc just return 1, it will use your initial
TGT to acquire the necessary tickets to perform the
bind (which it should have done in the first place).
Don't ask me why this works.  I just happened to try
it after many hours of frustration.



More information about the Kerberos mailing list