Updates (multi-realm) to Leash32...
vorlon at netexpress.net
Fri Jan 10 17:19:01 EST 2003
On Fri, Jan 10, 2003 at 05:14:32PM -0500, Ken Hornstein wrote:
> >Well, ldapsearch includes the following options:
> > -U authcid SASL authentication identity
> > -X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
> > -Y mech SASL mechanism
> >The '-U' option maps directly to a Kerberos principal when using -Y gssapi,
> >and definitely provides the means for a user to request authentication
> Hm, are you sure? Because I'm looking at the SASL library source code,
> and I don't see how -U (which I'm assuming is using the AUTHNAME
> callback) actually passes anything into the GSSAPI SASL plugin
> routines. Yes, the authzid is used, but that's quite different from
> selecting a client principal other than your primary.
Ah... perhaps you're right. I may have been thinking of problems caused
by a mismatch between the requested authzid and the ccache. At least, I
can't seem to make -U do anything useful.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20030110/fa8a5468/attachment.bin
More information about the krbdev