SASL/GSSAPI bind in LDAP plugin?

[Luke Howard]

>I was looking at the LDAP KDB plugin and was wondering if it was
>possible to support a SASL/GSSAPI LDAP bind when the kdc or kadmind
>needed access the KDB via LDAP.  It appears to be a chicken and egg
>issue since the KDC needs access to the LDAP/DS service princ. key which
>it normally has via the KDB.  And given the LDAP plugin would be calling
>libsasl/libgss/mech_krb5 as a client (running under the kdc process),

I think it's chicken-and-egg, unless you store the LDAP server key
separately and use it to fake a ticket.

>the code path would be generating a request to the kdc and blocking for
>a reply from the kdc which wouldn't come unless the kdc was
>multi-threaded.  Or is there another way?  It seems advantageous to

If you need to make a KDC request from within the same process as the
KDC you really need to do it in-line, otherwise what happens if the
last thread is making the request?

>leverage the existing Kerberos infrastructure for this sort of
>authenticated bind.

My preference is for the KDC to run on the same host as the LDAP server
and use ldapi:// (LDAP over IPC). This is the approach we used in XAD.

cheers,

-- Luke

--