Updates (multi-realm) to Leash32...

Steve Langasek vorlon at netexpress.net
Fri Jan 10 16:57:00 EST 2003

On Fri, Jan 10, 2003 at 04:51:41PM -0500, Ken Hornstein wrote:
> >> In my years of using Kerberos 5, I've _never_ seen a Kerberized
> >> application that let you pick which principal you should be use to
> >> authenticate.  I'm not counting the old Unix trick of setting the
> >> KRB5CCNAME environment variable.

> >I think the OpenLDAP tools, with SASL, let you do this sort of thing.

> I've written plenty of SASL applications (using Cyrus-SASL), and I can
> assure you I've never seen that capability within Cyrus-SASL ... and
> I am pretty sure that OpenLDAP uses Cyrus-SASL.  And in fact .... I am
> not sure how you would do it within the context of GSSAPI (but it
> may be possible; I have never claimed to be a GSSAPI expert).

Well, ldapsearch includes the following options:

  -U authcid SASL authentication identity
  -X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
  -Y mech    SASL mechanism

The '-U' option maps directly to a Kerberos principal when using -Y gssapi,
and definitely provides the means for a user to request authentication
as a specific principal.  You may well be correct that there's underlying
functionality missing at the level of the Kerberos APIs, however.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20030110/523bbb14/attachment.bin

More information about the krbdev mailing list