Multiple principals in a single application

Nico Williams nico at
Wed May 8 07:47:34 EDT 2013

On Wed, May 8, 2013 at 2:05 AM, Bernardo Pastorelli <berpast at> wrote:
> My application uses openldap and GSSAPI to connect to a remote LDAP server. GSSAPI leverages kerberos as the transport mechanism.

a) It's one user at a time per-connection for LDAP.  You can't
multiplex multiple user's LDAP PDUs over a single connection.

b) First use gss_acquire_cred() with the given user's gss_name_t as
the desired name, then call ldap_int_sasl_set_option() with
LDAP_OPT_X_SASL_GSS_CREDS as the option and the gss_cred_id_t as the

c) Then call ldap_sasl_bind_s().

You need a version of OpenLDAP that has this option, and a version of
Cyrus SASL that has the SASL_GSS_CREDS options.  But IIRC they've had
these for several years now.


More information about the Kerberos mailing list