> -----Original Message----- > Michale wrote: > > First the client has to obtain a ticket granting ticket (TGT) > from the Kerberos KDC (e.g. via GSSAPI).
Just want to know whether this process can be automatic for LDAP client? Or I need to manually write some routines to fetch this key for GSSAPI? > This can get tricky since there is no standardized way how > the LDAP server maps the SASL authc-ID to the authz-ID. And > how to query the authz-ID is also not supported the same way > on all LDAP servers. Which LDAP server do you plan to use? I plan to test it against ADS LDAP server that resides in a Windows 2003 OS first, because ADS also provides Kerberos authentication at the same time. It is bad news that different LDAP servers handle SASL differently. By the way, what is authc-ID and authz-ID? What do they refer to? Would you please elaborate on these, Mike? > I'd recommend to 1. play with the Kerberos utils on your > platform (obtaining TGT with command-line tool kinit, then > using command-line tool ldapsearch with SASL). Note that your > DNS has to be set up correctly! I have the same thought as you these days. I want to have a Kerberos client that can work together with the command-line tool of ldapsearch (which works great for simple binding and search). With these two at hand, I can use them to do testings first, and use the testing result as a benchmark to be used in my coding later. But although I have ldapsearch utility in our Linux environment, I can't find a working Kerberos utility that works for Linux, or is it my ignorance? If there is some Kerberos client that can be used in RedHat Linux, please refer me to the location. By the way, do you have some LDAP traces with SASL binding in it? That will be helpful, too. Thank you, Xu Qiang _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
