Help with SASL/GSSAPI to remote Kerberos server
Jeffrey Altman
jaltman at secure-endpoints.com
Tue Feb 19 20:28:24 EST 2008
A KDC does not speak GSSAPI nor SASL. A KDC issues tickets. You use
SASL-GSSAPI-KRB5 when you want to establish an authenticated connection
to an application service for which a service principal exists within
the KDC database. The KDC is not an application service.
Wes Modes wrote:
> That is very close, though I'll make one minor correction.
>
> From Samba to OpenLDAP via TLS uses smbldap-tools and doesn't need
> SASL. SASL with the GSSAPI mechanism will be what is used when the
> LDAP server asks the Kerberos KDC if the password is valid.
>
> Jeffrey Altman wrote:
>> Let me rephrase what you are attempting to do. You want to
>> authenticate the LDAP query from the Samba client to the OpenLDAP
>> server by sending a username and password from Samba to OpenLDAP over
>> a TLS protected connection using SASL.
>>
>> Instead of the LDAP server storing the password and using that for
>> authentication, you want to have the LDAP server ask the Kerberos KDC
>> if the password is valid.
>> Please confirm that this is your desire.
>>
>>
>
> --
>
> Wes Modes
> Server Administrator & Programmer Analyst
> McHenry Library
> Computing & Network Services
> Information and Technology Services
> 459-5208
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080219/8fbf9a06/attachment.bin
More information about the Kerberos
mailing list