Hi
I have to authenticate a user to LDAP server using GSS-SPNEGO and Kerberos as base mechanism. I have successfully generated the TGT. Now I want to use ldap_sasl_bind_s() function with "GSS-SPNEGO" as mechanism. I am not sure of the parameters to pass. I read on http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/apis/... in case of Kerberos,we can use the above mentioned ticket if we have the TGT.Just we need to pass 'cred' and 'dn' as NULL and the functional will automatically take care of the rest of the mechanism under covers. ldap_sasl_bind_s (g_hLDAP,"", "GSS-SPNEGO" ,NULL,NULL,NULL, &servercredp ) This is how I am calling the function but is throwing LDAP_PARAM_ERROR. I am not sure of the reason. Can anyone help me on the reason? Also i wanted to know that do we need to any configurations at the LDAP server end to do enable kerberos authentication. Also do i need to call krb5_mk_req() before calling ldap_sasl_bind_s() or can i directly call ldap_sasl_bind_s()? Can anyone help me on the flow of API for achieving complete authentication after achieving the kerberos ticket. . Any thoughts?
On Thu, Dec 25, 2008 at 10:53:10PM +0530, Deepika Srivastava wrote:
I have to authenticate a user to LDAP server using GSS-SPNEGO and Kerberos as base mechanism. I have successfully generated the TGT. Now I want to use ldap_sasl_bind_s() function with "GSS-SPNEGO" as mechanism. I am not sure of the parameters to pass. I read on http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/apis/... in case of Kerberos,we can use the above mentioned ticket if we have the TGT.Just we need to pass 'cred' and 'dn' as NULL and the functional will automatically take care of the rest of the mechanism under covers. ldap_sasl_bind_s (g_hLDAP,"", "GSS-SPNEGO" ,NULL,NULL,NULL, &servercredp )
That is too little information on your source code. It would be more useful too see the entire sequence of calls you're doing to bind using GSSAPI.
This is how I am calling the function but is throwing LDAP_PARAM_ERROR. I am not sure of the reason. Can anyone help me on the reason? Also i wanted to know that do we need to any configurations at the LDAP server end to do enable kerberos authentication.
Yes, you do. Assuming you want to do SASL bind using Cyrus SASL you need to have the necessary modules installed on your system.
Also do i need to call krb5_mk_req() before calling ldap_sasl_bind_s() or can i directly call ldap_sasl_bind_s()?
No need to call kerberos functions. GSSAPI layer is something that should protect you from doing that.
Can anyone help me on the flow of API for achieving complete authentication after achieving the kerberos ticket.
I have very little experience with Cyrus SASL but if you want to be able connect to Active Directory server there's gssapi code (in HEAD only, at the moment) enabling such functionality, which doesn't require configuration of external SASL modules.
cheers,
openldap-technical@openldap.org