SASL/GSSAPI bind in LDAP plugin?
Will Fiveash
William.Fiveash at sun.com
Mon Feb 13 16:44:27 EST 2006
I was looking at the LDAP KDB plugin and was wondering if it was
possible to support a SASL/GSSAPI LDAP bind when the kdc or kadmind
needed access the KDB via LDAP. It appears to be a chicken and egg
issue since the KDC needs access to the LDAP/DS service princ. key which
it normally has via the KDB. And given the LDAP plugin would be calling
libsasl/libgss/mech_krb5 as a client (running under the kdc process),
the code path would be generating a request to the kdc and blocking for
a reply from the kdc which wouldn't come unless the kdc was
multi-threaded. Or is there another way? It seems advantageous to
leverage the existing Kerberos infrastructure for this sort of
authenticated bind.
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev
mailing list