This sounds redundant to me, given that OpenLDAP interfaces to GSS thru SASL.
If this code belongs anywhere at all, it's in the SASL library. As for the
mechanism itself - we've only recently excised all the other
non-standard/obsolete Bind mechanisms from our code base. If Microsoft wants
to publish some RFCs/specs for these other mechs, then maybe it'd be OK to
incorporate. But until then, to me it just feels like pollution.
Anyone else have comments?
-------- Original Message --------
Subject: Re: Likewise has added GSS-SPNEGO support to openldap libraries
Date: Sat, 26 Jan 2008 23:17:18 +1100
From: Luke Howard <lukeh(a)padl.com>
Organization: PADL Software Pty Ltd
To: Krishna Ganugapati <krishnag(a)likewisesoftware.com>
CC: Howard Chu <HYC(a)symas.com>
Sounds good! The standard procedure is to file an ITS at:
and then the OpenLDAP team will review it. I still might have commit
I think the OpenLDAP team would want to consider how adding
LDAP_AUTH_NEGOTIATE (which isn't a new authentication method at the
protocol layer) would interact with the existing implementation of
ldap_sasl_interactive_bind_s(). I personally have no problem with the
MSDN APIs but the team may prefer to keep the existing API usage.
Krishna Ganugapati wrote:
I wanted to let you know that we’ve added support for the
LDAP_AUTH_NEGOTIATE option to support GSS-SPNEGO in the open-ldap
libraries. I’d contracted with Sernet to do this work and the work was
done by Stefan Metzmacher of Sernet. We have this support in our own
tree right now and it is super cool.
See here for details
The advantage is that if you want to make authenticated requests to
Active Directory, it is a piece of cake as opposed to having to
negotiate gss contexts yourself. If you get a tgt from a AD domain
controller, you can seamlessly connect to AD directories.
I’d like to get this in to the open-ldap source base. I notice that
you (your company) partners with Symas and the open-ldap team. Could I
impose on you to make introductions? I think they will be more
inclined to accept the code when they realize that this work has been
done by Sernet (Volker Lendecke’s company) on contract to Likewise and
we at Likewise are delighted to push this upstream. I completely
understand if you would not be comfortable doing so.
By the way, our team has ported the dce-rpc libraries to just about
every platform possible and we plan to release it back to the
community very soon. We’re also going to release our libnetapi
libraries which provide a API level compatibility with most of the Net
Vice President, Engineering
*T* 425.378.7887 x241 *F* 425.484.6316 *M* 425.736.1076 *E*
15395 SE 30th Place, Suite 140
Bellevue, WA 98007
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/