Help with SASL/GSSAPI to remote Kerberos server

Jeffrey Altman jaltman at secure-endpoints.com
Tue Feb 19 20:28:24 EST 2008


A KDC does not speak GSSAPI nor SASL.  A KDC issues tickets.  You use 
SASL-GSSAPI-KRB5 when you want to establish an authenticated connection 
to an application service for which a service principal exists within 
the KDC database.  The KDC is not an application service.


Wes Modes wrote:
> That is very close, though I'll make one minor correction. 
>
> From Samba to OpenLDAP via TLS uses smbldap-tools and doesn't need 
> SASL.  SASL with the GSSAPI mechanism will be what is used when the 
> LDAP server asks the Kerberos KDC if the password is valid.
>
> Jeffrey Altman wrote:
>> Let me rephrase what you are attempting to do.  You want to 
>> authenticate the LDAP query from the Samba client to the OpenLDAP 
>> server by sending a username and password from Samba to OpenLDAP over 
>> a TLS protected connection using SASL.
>>
>> Instead of the LDAP server storing the password and using that for 
>> authentication, you want to have the LDAP server ask the Kerberos KDC 
>> if the password is valid.
>> Please confirm that this is your desire.
>>
>>
>
> -- 
>
> Wes Modes
> Server Administrator & Programmer Analyst
> McHenry Library
> Computing & Network Services
> Information and Technology Services
> 459-5208
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080219/8fbf9a06/attachment.bin


More information about the Kerberos mailing list