SASL/GSSAPI bind in LDAP plugin?
lukeh at padl.com
Mon Feb 13 23:09:01 EST 2006
>I was looking at the LDAP KDB plugin and was wondering if it was
>possible to support a SASL/GSSAPI LDAP bind when the kdc or kadmind
>needed access the KDB via LDAP. It appears to be a chicken and egg
>issue since the KDC needs access to the LDAP/DS service princ. key which
>it normally has via the KDB. And given the LDAP plugin would be calling
>libsasl/libgss/mech_krb5 as a client (running under the kdc process),
I think it's chicken-and-egg, unless you store the LDAP server key
separately and use it to fake a ticket.
>the code path would be generating a request to the kdc and blocking for
>a reply from the kdc which wouldn't come unless the kdc was
>multi-threaded. Or is there another way? It seems advantageous to
If you need to make a KDC request from within the same process as the
KDC you really need to do it in-line, otherwise what happens if the
last thread is making the request?
>leverage the existing Kerberos infrastructure for this sort of
My preference is for the KDC to run on the same host as the LDAP server
and use ldapi:// (LDAP over IPC). This is the approach we used in XAD.
More information about the krbdev