Hi All,
I'm working on Windows application that uses libldap built with cyrus sasl and MIT Kerberos and I'm having issues with Kerberos authentication on AD. I have tested with various applications and Kerberos is working properly on server. In my app I'm using ldap_sasl_interactive_bind_s(mLdapObj, NULL, "GSSAPI", NULL, NULL, LDAP_SASL_INTERACTIVE, my_ldap_sasl_interact, defaults) in order to bind with server, but I get error -2 (Local error). I have debugged the app and I have found that there is an issue with Keberos Credentials Cache. Because I haven't set credentials cache location, Kerberos reads this location from KRB5CCNAME environment variable.
So my first question is : Is there any API in libldap, so we can set our own contact cache location?
But even when I set this variable, I get same error when I try to bind. After some more debugging I found that Kerberos expects that I already have credentials cache file created, and that there is a ticket in it(as a I have called kinit before bind).
Is there an API in libldap, that will call Kerberos API for credentials cache and ticket obtaining operations, which we can call before bind, or we need to call Kerberos API directly ?
Thank you for your help.
Best Regards, Petar Kovacevic
Petar Kovačević wrote:
Hi All,
I’m working on Windows application that uses libldap built with cyrus sasl and MIT Kerberos and I’m having issues with Kerberos authentication on AD.
I have tested with various applications and Kerberos is working properly on server.
In my app I’m using ldap_sasl_interactive_bind_s(mLdapObj, NULL, "GSSAPI", NULL, NULL, LDAP_SASL_INTERACTIVE, my_ldap_sasl_interact, defaults) in order to bind with server, but I get error -2 (Local error).
I have debugged the app and I have found that there is an issue with Keberos Credentials Cache. Because I haven’t set credentials cache location, Kerberos reads this location from KRB5CCNAME environment variable.
So my first question is : Is there any API in libldap, so we can set our own contact cache location?
No.
But even when I set this variable, I get same error when I try to bind. After some more debugging I found that Kerberos expects that I already have credentials cache file created, and that there is a ticket in it(as a I have called kinit before bind).
Is there an API in libldap, that will call Kerberos API for credentials cache and ticket obtaining operations, which we can call before bind, or we need to call Kerberos API directly ?
You are expected to have a TGT already.
Hi,
Is it possible to use in memory credentials cache to store TGT, or it has be in file?
Best Regards, Petar Kovacevic ________________________________________ From: Howard Chu [hyc@symas.com] Sent: Monday, January 25, 2016 3:37 PM To: Petar Kovačević; openldap-technical@openldap.orgte Subject: Re: OpenLdap + Cyrus SASL + MIT Kerberos credentials cache
Petar Kovačević wrote:
Hi All,
I’m working on Windows application that uses libldap built with cyrus sasl and MIT Kerberos and I’m having issues with Kerberos authentication on AD.
I have tested with various applications and Kerberos is working properly on server.
In my app I’m using ldap_sasl_interactive_bind_s(mLdapObj, NULL, "GSSAPI", NULL, NULL, LDAP_SASL_INTERACTIVE, my_ldap_sasl_interact, defaults) in order to bind with server, but I get error -2 (Local error).
I have debugged the app and I have found that there is an issue with Keberos Credentials Cache. Because I haven’t set credentials cache location, Kerberos reads this location from KRB5CCNAME environment variable.
So my first question is : Is there any API in libldap, so we can set our own contact cache location?
No.
But even when I set this variable, I get same error when I try to bind. After some more debugging I found that Kerberos expects that I already have credentials cache file created, and that there is a ticket in it(as a I have called kinit before bind).
Is there an API in libldap, that will call Kerberos API for credentials cache and ticket obtaining operations, which we can call before bind, or we need to call Kerberos API directly ?
You are expected to have a TGT already.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Petar Kovačević wrote:
Hi,
Is it possible to use in memory credentials cache to store TGT, or it has be in file?
That depends entirely on your Kerberos library, OpenLDAP has nothing to do with it. Read your kerberos docs or ask on a kerberos mailing list.
openldap-technical@openldap.org
-
Howard Chu -
Petar Kovačević