Hi, Im quite new to Openldap and am searching for answers to some questions on a particular case i have, i'd be glad if some one could help me out on this particular topic.
I have a situation where i have to perform an LDAP bind to a given LDAP server with only being provided a service ticket to that particular LDAP server and nothing else, i have already explored the possibility of using SASL authentication method with GSSAPI as the mechanism, however i guess the GSSAPI mechanism takes user credentials as input and moves through the Kerberos protocol to finally provide the LDAP server with the service ticket.
Im looking for a method where i can just provide the service ticket ( which i acquired form another host, where the client entered the credentials and Kerberos returned with a service ticket ) to the LDAP server and hope to achive the LDAP bind.
is there any ldap_bind method that just takes the service ticket as input and allows a bind to take place, or is it possible to use a SASL mechanism to make this happen, any suggestions will be appreceiated at this time.
Regards,
Austin.
Austin Cherian wrote:
Hi, Im quite new to Openldap and am searching for answers to some questions on a particular case i have, i'd be glad if some one could help me out on this particular topic.
I have a situation where i have to perform an LDAP bind to a given LDAP server with only being provided a service ticket to that particular LDAP server and nothing else, i have already explored the possibility of using SASL authentication method with GSSAPI as the mechanism, however i guess the GSSAPI mechanism takes user credentials as input and moves through the Kerberos protocol to finally provide the LDAP server with the service ticket.
Wrong. The GSSAPI mechanism does exactly what you're looking for.
Thanks for the reply Howard, if i can further clarify what you mean is that given the ldap_sasl_bind fucntion prototype below :
ldap_sasl_bind( LDAP *ld, LDAP_CONST char *dn, LDAP_CONST char *mechanism, struct berval *cred, LDAPControl **sctrls, LDAPControl **cctrls, int *msgidp )
i first call the Kerberos authentication functions to get the service ticket to the ldap server. Next i can simply use the above fuction specifying mechanism as "GSSAPI" and pointing cred to the Kerberos service ticket i just got ?
If this is right the ldap server will just verify the service ticket and send back the response for the fucntion to return success.
Is there anything else i need to take care of ?
On 11/26/07, Howard Chu hyc@symas.com wrote:
Austin Cherian wrote:
Hi, Im quite new to Openldap and am searching for answers to some questions on a particular case i have, i'd be glad if some one could help me out on this particular topic.
I have a situation where i have to perform an LDAP bind to a given LDAP server with only being provided a service ticket to that particular LDAP server and nothing else, i have already explored the possibility of using SASL authentication method with GSSAPI as the mechanism, however i guess the GSSAPI mechanism takes user credentials as input and moves through the Kerberos protocol to finally provide the LDAP server with the service ticket.
Wrong. The GSSAPI mechanism does exactly what you're looking for.
-- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Austin Cherian wrote:
Thanks for the reply Howard, if i can further clarify what you mean is that given the ldap_sasl_bind fucntion prototype below :
ldap_sasl_bind( LDAP *ld, LDAP_CONST char *dn, LDAP_CONST char *mechanism, struct berval *cred, LDAPControl **sctrls, LDAPControl **cctrls, int *msgidp ) i first call the Kerberos authentication functions to get the service ticket to the ldap server. Next i can simply use the above fuction specifying mechanism as "GSSAPI" and pointing cred to the Kerberos service ticket i just got ?
Generally no. The SASL library may need to do other things with the session and credentials. You should use the ldap_sasl_interactive_bind_s() function instead.
If this is right the ldap server will just verify the service ticket and send back the response for the fucntion to return success.
Basically, yes.
Is there anything else i need to take care of ?
If you use the ldap_sasl_interactive_bind_s() function, there's nothing else to take care of.
openldap-software@openldap.org
-
Austin Cherian -
Howard Chu