SASL/GSSAPI bind in LDAP plugin?

Will Fiveash William.Fiveash at
Mon Feb 13 16:44:27 EST 2006

I was looking at the LDAP KDB plugin and was wondering if it was
possible to support a SASL/GSSAPI LDAP bind when the kdc or kadmind
needed access the KDB via LDAP.  It appears to be a chicken and egg
issue since the KDC needs access to the LDAP/DS service princ. key which
it normally has via the KDB.  And given the LDAP plugin would be calling
libsasl/libgss/mech_krb5 as a client (running under the kdc process),
the code path would be generating a request to the kdc and blocking for
a reply from the kdc which wouldn't come unless the kdc was
multi-threaded.  Or is there another way?  It seems advantageous to
leverage the existing Kerberos infrastructure for this sort of
authenticated bind.

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list