SASL/GSSAPI bind in LDAP plugin?

Henry B. Hotz hotz at
Thu Feb 16 15:48:36 EST 2006

On Feb 16, 2006, at 9:02 AM, krbdev-request at wrote:

> Date: Wed, 15 Feb 2006 17:54:56 -0600
> From: Nicolas Williams <Nicolas.Williams at>
> Subject: Re: SASL/GSSAPI bind in LDAP plugin?
> To: Sam Hartman <hartmans at MIT.EDU>
> Cc: MIT Kerberos Dev List <krbdev at>
> Message-ID: <20060215235456.GK9977 at binky.Central.Sun.COM>
> Content-Type: text/plain; charset=utf-8
> On Wed, Feb 15, 2006 at 06:30:59PM -0500, Sam Hartman wrote:
>>>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at> writes:
>>     Nicolas> On Wed, Feb 15, 2006 at 12:34:40PM -0500, Sam Hartman
>>     Nicolas> wrote:
>>>> I think that what you want to do is have at least one KDC on a
>>>> directory server and use SASL external with a unix domain
>>>> socket.
>>     Nicolas> Sigh.
>> what's wrong with my suggestion?
> KDCs relying on KDCs to bootstrap?

I don't think this answers the question.  If you're using Kerberized  
replication utilities then you need to configure slave machines to  
authenticate against an external kdc to bootstrap.  This has nothing  
to do with LDAP back-ends.

As for who's running who:  well if the data is all in LDAP, then I  
think that decision has already been made.  The kdc is just a  
specialized front-end for the directory.

In that architecture I would probably prefer to put the DS(s) and the  
KDC(s) on the same machine(s) precisely to simplify (and better  
secure) their interaction.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list