SASL GSSAPI "authorization identity" and padding

Michael B Allen mba2000 at
Tue Oct 17 20:52:05 EDT 2006


After the SASL "GSSAPI" method has authenticated gss_wrap is called
with some data to be used with ldap_sasl_bind_s. This data is 1)
a confidentiality and integrity bitmask, 2) the maximum buffer size
accepted by the client, and 3) the "authorization identity".

What is the "authorization identity"? Is it a UPN or ...?

Also, RFC 2222 and others claim the data must be padded to a multiple of
8 but I don't see that padding using ldapsearch with cyrus-sasl. Is
there supposed to be padding or not?


Michael B Allen
PHP Active Directory SSO

More information about the Kerberos mailing list