Updates (multi-realm) to Leash32...

Ken Hornstein kenh at cmf.nrl.navy.mil
Fri Jan 10 17:15:00 EST 2003

>Well, ldapsearch includes the following options:
>  -U authcid SASL authentication identity
>  -X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
>  -Y mech    SASL mechanism
>The '-U' option maps directly to a Kerberos principal when using -Y gssapi,
>and definitely provides the means for a user to request authentication

Hm, are you sure?  Because I'm looking at the SASL library source code,
and I don't see how -U (which I'm assuming is using the AUTHNAME
callback) actually passes anything into the GSSAPI SASL plugin
routines.  Yes, the authzid is used, but that's quite different from
selecting a client principal other than your primary.


More information about the krbdev mailing list