Disabling PA-REQ-ENC-PA-REP (149) preauth?

Aleksander Adamowski krb5 at olo.org.pl
Sat Jan 14 10:04:18 EST 2012


I'm working on a proof of concept integration of Kerberos and LDAP
protocols (namely, transporting Kerberos V5 messages using LDAPv3
extended operations - basically using LDAPv3 instead of plain TCP as
carrier protocol for Kerberos).
I've given the code name "KrbLDAP" to the integrated Kerberos+LDAP protocol.

I'm publishing my work on Github - my 3 repositores are located here:

These are Github forks of official MIT krb5, Fedora's pam_krb5 (which
in my experiment serves the role of a client used to launch the
integration test) and a new repo "apacheds-krbldap-test" that uses
Apache Directory Server's extensibility and support for both LDAP and
Kerberos to implement a proof of concept KrbLDAP server.

At this stage, I've managed to successfully encode Kerberos AS-REQ
message inside a LDAPv3 extended request and send it to the server.
The server receives it, and after extracting  the Kerberos message,
feeds it to its Kerberos protocol handler.

All is well, but the problem is that the latest trunk version of
libkrb5 seems to use an experimental PA-REQ-ENC-PA-REP (149) pre
authentication (with an empty preauth value) that's currently part of
a draft specification for Kerberos Referrals

Obviously, Apache DS's Kerberos protocol handler doesn't yet know
about such preauth and returns an error message.

Is there a way to disable this behaviour in libkrb5?

Best Regards,
  Aleksander Adamowski

More information about the krbdev mailing list