Multiple principals in a single application
nico at cryptonector.com
Wed May 8 07:47:34 EDT 2013
On Wed, May 8, 2013 at 2:05 AM, Bernardo Pastorelli <berpast at hotmail.com> wrote:
> My application uses openldap and GSSAPI to connect to a remote LDAP server. GSSAPI leverages kerberos as the transport mechanism.
a) It's one user at a time per-connection for LDAP. You can't
multiplex multiple user's LDAP PDUs over a single connection.
b) First use gss_acquire_cred() with the given user's gss_name_t as
the desired name, then call ldap_int_sasl_set_option() with
LDAP_OPT_X_SASL_GSS_CREDS as the option and the gss_cred_id_t as the
c) Then call ldap_sasl_bind_s().
You need a version of OpenLDAP that has this option, and a version of
Cyrus SASL that has the SASL_GSS_CREDS options. But IIRC they've had
these for several years now.
More information about the Kerberos