SASL/GSSAPI bind in LDAP plugin?

Luke Howard lukeh at
Mon Feb 13 23:34:50 EST 2006

>Anyway, from what I know of the code path I think inline processing on
>the current MIT KDC may not be possible because the KDC calls the LDAP
>plugin which is calling libsasl/libgss/mech_krb5 as a client which would
>have the mech_krb5 code issuing a AS_REQ and so forth to acquire a LDAP
>service ticket.  All this is way below the KDC.

It's probably a lot of work, but you could certainly make the KDC into a
library called by libkrb5 when running inside the KDC.

I suspect this is what MS do inside LSASS in order to support outgoing
Kerberized LDAP and RPC connections with the local machine identity.

-- Luke


More information about the krbdev mailing list