Ken wrote: > You've discovered an unfortunate truth - it's difficult to ship a > third-party application that links against Kerberos libraries and > expect it to be portable. And since the Heimdal and MIT Kerberos > libraries aren't API compatible, you either have to pick one or the > other, or port to both (in my experience, porting to both isn't hard, > it's just annoying).
It is also worth mentioning that GSS-API is closer to being portable than native Kerberos APIs, and you should use GSS as much as possible to avoid some interoperability issues. It also makes your coding a lot easier. > More and more operating systems are shipping with Kerberos libraries, but > they're not universal just yet. I can only offer suggestions based on what > I have seen other vendors do in your position: > 1) Dynamically load all Kerberos functions at runtime with dlopen() or > the equivalent. > 2) Encapsulate all of your Kerberos functionality into an open-source > module or program and have your customers compile that particular bit > themselves. > 3) Include with your product a complete copy of whatever Kerberos > implementation you prefer. 4) Since your company is developing and selling commercial products to customers and providing support service that the customer expects for such products, perhaps you could partner with a vendor who provides a cross platform Kerberos implementation, so you get a consistent and supported solution, for any operating system your product may run on. Also, your customers get a complete solution that is fully supported by yourself and the partner company. I represent one such company, namely "CyberSafe". > From the customer's perspective, 1) is easier. 2) is easier for you, > as it pushes some of the issues back onto the customer, but it might > present some interesting support challenges. I don't recommend 3); I'm > only including it for the sake of completeness. I don't recommend option 3 either, but there are companies that have chosen this path, e.g. Oracle. Instead, I recommend you look at option 4. Thanks, Tim ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
