Updates (multi-realm) to Leash32...

Steve Langasek vorlon at netexpress.net
Fri Jan 10 17:19:01 EST 2003

On Fri, Jan 10, 2003 at 05:14:32PM -0500, Ken Hornstein wrote:
> >Well, ldapsearch includes the following options:

> >  -U authcid SASL authentication identity
> >  -X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
> >  -Y mech    SASL mechanism

> >The '-U' option maps directly to a Kerberos principal when using -Y gssapi,
> >and definitely provides the means for a user to request authentication

> Hm, are you sure?  Because I'm looking at the SASL library source code,
> and I don't see how -U (which I'm assuming is using the AUTHNAME
> callback) actually passes anything into the GSSAPI SASL plugin
> routines.  Yes, the authzid is used, but that's quite different from
> selecting a client principal other than your primary.

Ah... perhaps you're right.  I may have been thinking of problems caused
by a mismatch between the requested authzid and the ccache.  At least, I
can't seem to make -U do anything useful.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20030110/fa8a5468/attachment.bin

More information about the krbdev mailing list