Hi All FYI: Current I am using netscape 3 c-sdk and have compiled them in windows/solaris.
First I give some very basic understanding of what I am trying to achieve. Its a SSO (Single Sign on) project where our servers may be running on MAX OSX, SUN, Windows and the underlying db for users/acl(access control list) storage shall be LDAP. The directory server should be closable between DS/OpenLDAP/Ad/NDS. Question 1: The first question arises about is choosing way of authentication. Almost all the authentication mechanisms are independent of DS unless u decide to store passwords in the DS itself. The only exception is Microsoft's AD which has blended kdc with AD . Now the choice drills down to choosing mechnism. I have choosen GSSAPI/Kerberos 5. Now I have to support all of them. SEAM/MIT/HEMIDAL/AD kdc for all the respective platforms. After some study I found that SASL was the answer. As we have to choose a pluggable module for authentication so that even if we have to involve any third part auth-mechanism we should not face any problems. But the fundamental question arises. Approach : clientapp --> LDAP/SASL/GSSAPI --> KDC --> Tickets I think thru ldap_sasl_bind via SASL only. As I understand in this approach we shall be involving ldap_sasl_bind sort of thing thru SASL and shall pass the password along with user dn and other details. I think this should be same as ldapclient mechanism where I do kinit and then do all the search. i.e. the ticket is used to ldap operations. LDAP(DS) just becomes another service in the kerberos domain and once authenticated can do all the ldap operations. Now for my application when a person logs on to the windows/mac client, he gets his tgt and passes the same for authentication via sasl/ldap using netscape c-sdk library. Am I wrong in this thought or not ???? Question2: Next part of the question is if I want to use SASL/LDAP with Directory Server Does it matter which SASL implementations are u using Question3: For the scenario described above I have chosen SASL implementation using netscape sdk. I have tried this in Solaris and have succeeded. I tested with SEAM/Directory Server 5.2 and AD implemented using Luke Padl samples implementations for authentications and found that it was successful (attached libgssldap.c). I then ported this to windows using kfw2.5 and failed to run the samples May Be (MS uses SSPI to fetch Microsoft credentials from the LSA (Windows version of credentials cache) while and then kfw 2.5 uses GSSAPI and has its own credential caches) Question4: I have attached both the files libgssldap.c and test.c which I tested in Solaris 9 and was successful. Is this the way to use GSSAPI/kerberos 5 via LDAP. I am confused ?????? Question5: If feasible can u guide what can be done in the case of windows ???? Is netscape c-sdk is the right choice. I feel yes. Question6: I have been unable to find any samples using gssapi/kerberos examples and using c-sdk except luke padl examples which runs only in UNIX based systems. Where can I find one simple sample using gssapi/kerberos/sasl in windows???? Regards Vikas ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
