4:27 a.m.
Hi All,
I'm working on Windows application that uses libldap built with cyrus sasl and MIT
Kerberos and I'm having issues with Kerberos authentication on AD.
I have tested with various applications and Kerberos is working properly on server.
In my app I'm using ldap_sasl_interactive_bind_s(mLdapObj, NULL, "GSSAPI",
NULL, NULL, LDAP_SASL_INTERACTIVE, my_ldap_sasl_interact, defaults) in order to bind with
server, but I get error -2 (Local error).
I have debugged the app and I have found that there is an issue with Keberos Credentials
Cache. Because I haven't set credentials cache location, Kerberos reads this location
from KRB5CCNAME environment variable.
So my first question is : Is there any API in libldap, so we can set our own contact cache
location?
But even when I set this variable, I get same error when I try to bind. After some more
debugging I found that Kerberos expects that I already have credentials cache file
created, and that there is a ticket in it(as a I have called kinit before bind).
Is there an API in libldap, that will call Kerberos API for credentials cache and ticket
obtaining operations, which we can call before bind, or we need to call Kerberos API
directly ?
Thank you for your help.
Best Regards,
Petar Kovacevic
6:37 a.m.
Petar Kovačević wrote:
Hi All,
I’m working on Windows application that uses libldap built with cyrus sasl and
MIT Kerberos and I’m having issues with Kerberos authentication on AD.
I have tested with various applications and Kerberos is working properly on
server.
In my app I’m using ldap_sasl_interactive_bind_s(mLdapObj, NULL, "GSSAPI",
NULL, NULL, LDAP_SASL_INTERACTIVE, my_ldap_sasl_interact, defaults) in order
to bind with server, but I get error -2 (Local error).
I have debugged the app and I have found that there is an issue with Keberos
Credentials Cache. Because I haven’t set credentials cache location, Kerberos
reads this location from KRB5CCNAME environment variable.
So my first question is : Is there any API in libldap, so we can set our own
contact cache location?
No.
But even when I set this variable, I get same error when I try to
bind. After
some more debugging I found that Kerberos expects that I already have
credentials cache file created, and that there is a ticket in it(as a I have
called kinit before bind).
Is there an API in libldap, that will call Kerberos API for credentials cache
and ticket obtaining operations, which we can call before bind, or we need to
call Kerberos API directly ?
You are expected to have a TGT already.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12:17 p.m.
Hi,
Is it possible to use in memory credentials cache to store TGT, or it has be in file?
Best Regards,
Petar Kovacevic
________________________________________
From: Howard Chu [hyc(a)symas.com]
Sent: Monday, January 25, 2016 3:37 PM
To: Petar Kovačević; openldap-technical(a)openldap.orgte
Subject: Re: OpenLdap + Cyrus SASL + MIT Kerberos credentials cache
Petar Kovačević wrote:
Hi All,
I’m working on Windows application that uses libldap built with cyrus sasl and
MIT Kerberos and I’m having issues with Kerberos authentication on AD.
I have tested with various applications and Kerberos is working properly on
server.
In my app I’m using ldap_sasl_interactive_bind_s(mLdapObj, NULL, "GSSAPI",
NULL, NULL, LDAP_SASL_INTERACTIVE, my_ldap_sasl_interact, defaults) in order
to bind with server, but I get error -2 (Local error).
I have debugged the app and I have found that there is an issue with Keberos
Credentials Cache. Because I haven’t set credentials cache location, Kerberos
reads this location from KRB5CCNAME environment variable.
So my first question is : Is there any API in libldap, so we can set our own
contact cache location?
No.
But even when I set this variable, I get same error when I try to
bind. After
some more debugging I found that Kerberos expects that I already have
credentials cache file created, and that there is a ticket in it(as a I have
called kinit before bind).
Is there an API in libldap, that will call Kerberos API for credentials cache
and ticket obtaining operations, which we can call before bind, or we need to
call Kerberos API directly ?
You are expected to have a TGT already.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9:05 p.m.
Petar Kovačević wrote:
Hi,
Is it possible to use in memory credentials cache to store TGT, or it has be in file?
That depends entirely on your Kerberos library, OpenLDAP has nothing to do
with it. Read your kerberos docs or ask on a kerberos mailing list.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
2871
days inactive
2874
days old
openldap-technical@openldap.org
3 comments
2 participants
participants (2)
-
Howard Chu -
Petar Kovačević