Updates (multi-realm) to Leash32...
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Jan 10 17:15:00 EST 2003
>Well, ldapsearch includes the following options:
>
> -U authcid SASL authentication identity
> -X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
> -Y mech SASL mechanism
>
>The '-U' option maps directly to a Kerberos principal when using -Y gssapi,
>and definitely provides the means for a user to request authentication
Hm, are you sure? Because I'm looking at the SASL library source code,
and I don't see how -U (which I'm assuming is using the AUTHNAME
callback) actually passes anything into the GSSAPI SASL plugin
routines. Yes, the authzid is used, but that's quite different from
selecting a client principal other than your primary.
--Ken
More information about the krbdev
mailing list