Multiple principals in a single application

Bernardo Pastorelli berpast at
Sun May 19 10:44:44 EDT 2013

Hi Nico,

I run on an OS where the available version of the cyrus-sasl library does not support SASL_GSS_CREDS.
So openldap has LDAP_OPT_X_SASL_GSS_CREDS, but then when calling cyrus-sasl, it fails because it is not able to handle SASL_GSS_CREDS.

This is the reason why my code is failing (I didn't properly check the return codes). Is there any alternative to setting this option?


> Date: Wed, 8 May 2013 06:47:34 -0500
> Subject: Re: Multiple principals in a single application
> From: nico at
> To: berpast at
> CC: kerberos at
> On Wed, May 8, 2013 at 2:05 AM, Bernardo Pastorelli <berpast at> wrote:
> > My application uses openldap and GSSAPI to connect to a remote LDAP server. GSSAPI leverages kerberos as the transport mechanism.
> a) It's one user at a time per-connection for LDAP.  You can't
> multiplex multiple user's LDAP PDUs over a single connection.
> b) First use gss_acquire_cred() with the given user's gss_name_t as
> the desired name, then call ldap_int_sasl_set_option() with
> LDAP_OPT_X_SASL_GSS_CREDS as the option and the gss_cred_id_t as the
> value.
> c) Then call ldap_sasl_bind_s().
> You need a version of OpenLDAP that has this option, and a version of
> Cyrus SASL that has the SASL_GSS_CREDS options.  But IIRC they've had
> these for several years now.
> Nico
> --

More information about the Kerberos mailing list