SASL and the GSS-API are not easy to use. They seem overly complicated to me, and the documentation is confusing. I could only get them working by looking at sample code. I first looked at some Samba code, but decided not to go that route. Openldap distributes a sample LDAP program which demonstrates SASL/GSSAPI using the ldap_sasl_interactive_bind_s() call. I based my code off of that, because it has the added benefit of not requiring the user to know their LDAP DN (pass the username as something like "[EMAIL PROTECTED]").
Also, after you have binded you will obviously perform other LDAP requests such as searches. Sometimes, AD refers (redirects) these requests to other LDAP servers (or the same server with a different principal name). If this happens, you also need to set a rebind procedure with ldap_set_rebind_proc(). This rebind procedure is a callback function you define to supposedly bind to any "referred" servers. However, while messing around with it, I noticed if you make your rebind_proc just return 1, it will use your initial TGT to acquire the necessary tickets to perform the bind (which it should have done in the first place). Don't ask me why this works. I just happened to try it after many hours of frustration. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
