Multiple principals in a single application

Bernardo Pastorelli berpast at hotmail.com
Sun May 19 10:44:44 EDT 2013


Hi Nico,

I run on an OS where the available version of the cyrus-sasl library does not support SASL_GSS_CREDS.
So openldap has LDAP_OPT_X_SASL_GSS_CREDS, but then when calling cyrus-sasl, it fails because it is not able to handle SASL_GSS_CREDS.

This is the reason why my code is failing (I didn't properly check the return codes). Is there any alternative to setting this option?

Regards,
Bernardo

> Date: Wed, 8 May 2013 06:47:34 -0500
> Subject: Re: Multiple principals in a single application
> From: nico at cryptonector.com
> To: berpast at hotmail.com
> CC: kerberos at mit.edu
> 
> On Wed, May 8, 2013 at 2:05 AM, Bernardo Pastorelli <berpast at hotmail.com> wrote:
> > My application uses openldap and GSSAPI to connect to a remote LDAP server. GSSAPI leverages kerberos as the transport mechanism.
> 
> a) It's one user at a time per-connection for LDAP.  You can't
> multiplex multiple user's LDAP PDUs over a single connection.
> 
> b) First use gss_acquire_cred() with the given user's gss_name_t as
> the desired name, then call ldap_int_sasl_set_option() with
> LDAP_OPT_X_SASL_GSS_CREDS as the option and the gss_cred_id_t as the
> value.
> 
> c) Then call ldap_sasl_bind_s().
> 
> You need a version of OpenLDAP that has this option, and a version of
> Cyrus SASL that has the SASL_GSS_CREDS options.  But IIRC they've had
> these for several years now.
> 
> Nico
> --
 		 	   		  


More information about the Kerberos mailing list