Re: authenticate a user to LDAP server using GSS-SPNEGO and Kerberos
On Thu, Dec 25, 2008 at 10:53:10PM +0530, Deepika Srivastava wrote:
I have to authenticate a user to LDAP server using GSS-SPNEGO and
Kerberos
as base mechanism.
I have successfully generated the TGT.
Now I want to use ldap_sasl_bind_s() function with "GSS-SPNEGO" as
mechanism.
I am not sure of the parameters to pass.
I read on
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/ap...
in case of Kerberos,we can use the above mentioned ticket if we have
the TGT.Just we need to pass 'cred' and 'dn' as NULL and the functional
will
automatically take care of the rest of the mechanism under covers.
ldap_sasl_bind_s (g_hLDAP,"", "GSS-SPNEGO" ,NULL,NULL,NULL,
&servercredp )
That is too little information on your source code. It would be more useful too see
the entire sequence of calls you're doing to bind using GSSAPI.
This is how I am calling the function but is throwing
LDAP_PARAM_ERROR.
I am not sure of the reason. Can anyone help me on the reason?
Also i wanted to know that do we need to any configurations at the LDAP
server end to do enable kerberos authentication.
Yes, you do. Assuming you want to do SASL bind using Cyrus SASL you need to have
the necessary modules installed on your system.
Also do i need to call krb5_mk_req() before calling
ldap_sasl_bind_s() or
can i directly call ldap_sasl_bind_s()?
No need to call kerberos functions. GSSAPI layer is something that should protect
you from doing that.
Can anyone help me on the flow of API for achieving complete
authentication
after achieving the kerberos ticket.
I have very little experience with Cyrus SASL but if you want to be able connect
to Active Directory server there's gssapi code (in HEAD only, at the moment) enabling
such functionality, which doesn't require configuration of external SASL modules.
cheers,
--
Rafal Szczesniak
Samba Team member http://www.samba.org
Likewise Software http://www.likewisesoftware.com
Attachments:
- signature.asc (application/pgp-signature — 189 bytes)