LDAP, MIT Kerberos and SPNEGO

Simo Sorce ssorce at redhat.com
Fri Oct 4 13:52:56 EDT 2013

----- Original Message -----
> Hi,
> I have a Java LDAP client and my AD-based LDAP server supports GSS-SPNEGO
> mechanism for bind requests. I am trying to bind to LDAP server using
> SPNEGO, and using MIT Kerberos (I have built the 1.11.3 version) library
> for Kerberos GSS API implementation. However, I have following queries:
> 1. Does MIT Kerberos library support GSS-SPNEGO ?
> (because I am getting libc error from Kerberos library if I set oid for
> GSS-SPENGO, in org.ietf.jgss createContext() method, however, if set the
> same for Kerberos, it just works fine.)
> 2. As in HTTP Negotitate authentication, we attach 'Negotiate AuthToken'
>  in Authentication header in HTTP GET requests, what should be the
> procedure for LDAP bind requests for SPNEGO (which should resolve to
> Kerberos) which go as TCP packets ?

I am not sure about the Java cient, but using OpenLDAP libraries linked
against cyrus-sasl all you need to do is to use GSS-SPNEGO as the SASL
method, and it works.


Simo Sorce * Red Hat, Inc. * New York

More information about the krbdev mailing list