Just a quick clarification question: I'm using: (1) OpenLDAP, (2) Heimdal Kerberos, and (3) Cyrus SASL.
I exist in realm CHILD1.EXAMPLE.COM <http://CHILD1.EXAMPLE.COM>, and the ldap directory is in CHILD2.EXAMPLE.COM <http://CHILD2.EXAMPLE.COM>, both of which trust PARENT.EXAMPLE.COM <http://PARENT.EXAMPLE.COM>. I first use Heimdal Kerberos to log into CHILD1.EXAMPLE.COM<http://CHILD1.EXAMPLE.COM>and save my credentials. Now, at this point. Is it my responsibility to somehow traverse the realms from CHILD1 -> PARENT, PARENT -> CHILD2 with Heimdal Kerberos, or can I just call ldap_sasl_interactive_bind_s() at this point and expect it to traverse the realms for me? Thanks, - Jeremiah [EMAIL PROTECTED] On 9/16/05, Kurt D. Zeilenga <[EMAIL PROTECTED]> wrote: > > At 05:39 AM 9/16/2005, Jeremiah Martell wrote: > >Thanks for the reply. However, my system is setup correctly for > cross-realm > >authentication. I have another application that does it perfectly fine, > so > >it's not how my system are setup. > > You should get Cyrus SASL test programs working, then get > ldapwhoami(1) working with SASL, then worry about your own > programs. Discussions of the Cyrus SASL test programs should > be taken to the Cyrus SASL mailing list. > > >Anybody have any experience on how to correctly use > >ldap_sasl_interactive_bind_s? > > Yes. See ldapwhoami code in clients/tools. > > >I know my "interact function" get's asked for > >some values, and currently I return nothing. I've tried to return a valid > >realm but it doesn't seem to get used (verified with ethereal). Any > ideas? > > Because in Cyrus SASL the Kerberos realm in the Kerberos > ticket is always used in the case of the GSSAPI mechanism. > > As Dieter hinted, getting cross-realm authentication to work > is not really specific to OpenLDAP Software. If you get the > Cyrus SASL test programs working, one should be able to > get every program (such as those in OpenLDAP Software) using > Cyrus SASL should without significant hassle. > > Kurt > > > > >Thanks, > > > >- Jeremiah > >[EMAIL PROTECTED] > > > >On 9/16/05, Dieter Kluenter <[EMAIL PROTECTED]> wrote: > >> > >> Jeremiah Martell <[EMAIL PROTECTED]> writes: > >> > >> > Hello, > >> > > >> > Is there any documentation on this function? I'm able to get openldap > to > >> > successfully use this function to authenticate to a ldap directory > with > >> > SASL/GSSAPI when my kerberos credentials and the ldap directory are > in > >> the > >> > same realm. But when my credentials and the ldap directory are in > >> different > >> > realms, it's failing. I'm not sure what to pass this function to make > >> > multi-realm logins work. Any ideas? > >> > >> This is a kerberos related question. Set up your system to cross realm > >> authentication and two way trust relation. > >> > >> -Dieter > >> > >> -- > >> Dieter Klünter | Systemberatung > >> http://www.dkluenter.de > >> GPG Key ID:8EF7B6C6 > >> > >> > >
