SASL/GSSAPI bind in LDAP plugin?
lukeh at padl.com
Mon Feb 13 23:34:50 EST 2006
>Anyway, from what I know of the code path I think inline processing on
>the current MIT KDC may not be possible because the KDC calls the LDAP
>plugin which is calling libsasl/libgss/mech_krb5 as a client which would
>have the mech_krb5 code issuing a AS_REQ and so forth to acquire a LDAP
>service ticket. All this is way below the KDC.
It's probably a lot of work, but you could certainly make the KDC into a
library called by libkrb5 when running inside the KDC.
I suspect this is what MS do inside LSASS in order to support outgoing
Kerberized LDAP and RPC connections with the local machine identity.
More information about the krbdev