Xu, Qiang (FXSGSC) wrote: >> -----Original Message----- >> Michale wrote: >> >> First the client has to obtain a ticket granting ticket (TGT) >> from the Kerberos KDC (e.g. via GSSAPI). > > Just want to know whether this process can be automatic for LDAP > client? Or I need to manually write some routines to fetch this key > for GSSAPI?
Obtaining the TGT involves the client's shared secret (derived from the password). So you mainly need a password at the client-side. You should make yourself a little bit comfortable with the Kerberos protocol. >> This can get tricky since there is no standardized way how >> the LDAP server maps the SASL authc-ID to the authz-ID. And >> how to query the authz-ID is also not supported the same way >> on all LDAP servers. Which LDAP server do you plan to use? > > I plan to test it against ADS LDAP server that resides in a Windows > 2003 OS first, because ADS also provides Kerberos authentication at > the same time. It is bad news that different LDAP servers handle SASL > differently. The LDAP servers do not handle the SASL bind differently. Server-side identity mapping is handled differently. > By the way, what is authc-ID and authz-ID? What do they > refer to? Would you please elaborate on these, Mike? The authc-ID is e.g. what the user types in as user name during authentication. The authz-ID is what the server uses as ID for authorization. There has to be a mapping there. Since you want to query some user profile data you have to find out to which LDAP entry the authc-ID is mapped. With Kerberos the authc-ID is the user's Kerberos principal name. With AD and SASL/Kerberos the mapping is simply the user's principal name found in attribute 'userPrincipalName' in the user's entry. You can use this for searching the user's entry. Other servers implement extended operations/controls for finding out to which authz-ID the LDAP server mapped the authc-ID. http://tools.ietf.org/html/rfc4532 http://tools.ietf.org/html/rfc3829 >> I'd recommend to 1. play with the Kerberos utils on your >> platform (obtaining TGT with command-line tool kinit, then >> using command-line tool ldapsearch with SASL). Note that your >> DNS has to be set up correctly! > > I have the same thought as you these days. I want to have a Kerberos > client that can work together with the command-line tool of > ldapsearch (which works great for simple binding and search). With > these two at hand, I can use them to do testings first, and use the > testing result as a benchmark to be used in my coding later. But > although I have ldapsearch utility in our Linux environment, I can't > find a working Kerberos utility that works for Linux, or is it my > ignorance? If there is some Kerberos client that can be used in > RedHat Linux, please refer me to the location. You could use the MIT Kerberos and cyrus-sasl packages provided with your Linux distribution. Since you're asking here I guess you want to use the Mozilla LDAP C API. > By the way, do you have some LDAP traces with SASL binding in it? > That will be helpful, too. I'm not sure this would help you. You should play with a test configuration yourself. Ciao, Michael. _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
