Updates (multi-realm) to Leash32...
vorlon at netexpress.net
Fri Jan 10 16:57:00 EST 2003
On Fri, Jan 10, 2003 at 04:51:41PM -0500, Ken Hornstein wrote:
> >> In my years of using Kerberos 5, I've _never_ seen a Kerberized
> >> application that let you pick which principal you should be use to
> >> authenticate. I'm not counting the old Unix trick of setting the
> >> KRB5CCNAME environment variable.
> >I think the OpenLDAP tools, with SASL, let you do this sort of thing.
> I've written plenty of SASL applications (using Cyrus-SASL), and I can
> assure you I've never seen that capability within Cyrus-SASL ... and
> I am pretty sure that OpenLDAP uses Cyrus-SASL. And in fact .... I am
> not sure how you would do it within the context of GSSAPI (but it
> may be possible; I have never claimed to be a GSSAPI expert).
Well, ldapsearch includes the following options:
-U authcid SASL authentication identity
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-Y mech SASL mechanism
The '-U' option maps directly to a Kerberos principal when using -Y gssapi,
and definitely provides the means for a user to request authentication
as a specific principal. You may well be correct that there's underlying
functionality missing at the level of the Kerberos APIs, however.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20030110/523bbb14/attachment.bin
More information about the krbdev