Hi, I was pleased to see GSSAPI supported in Qpid Broker C++; I can think of several uses of messaging where Kerberos' single sign-on is a blessing.
But the naming of the tickets as "qpid/[email protected]" is not as I think it should be. Clients nede to construct such names for their ticket requests: - the "REALM.NAME" is the client's, or modified through KDC redirection [or perhaps using draft-vanrein-dnstxt-krb1] - the "host.name" is derived from SRV records (it could be the domain or host) - the service name, here "qpid" is commonly known to an implementation The thing is that Qpid implementations may know what family they're from, but a client should not have to guess what implementation is running on a server it is trying to connect to. We have a standard protocol to escape from that :) and using "qpid/xxx" may work for Qpid clients but others would be out of luck. This would not be the case with the normal pattern[0] that uses "amqp/[email protected]" instead. [0]https://tools.ietf.org/html/rfc4120#section-6.2.1 As an example of this somewhat-vague text: we have "ldap/[email protected]" instead of "openldap/[email protected]" versus "389ds/[email protected]". So OpenLDAP clients can access a 389DS directory and vice versa. And nobody needs to try out many variations. FWIW, servers can actually accept multiple names in their keytab, so backward compatibility is not an issue. I do believe however, that the default name should be set to "amqp/[email protected]" for Qpid. I hope this is helpful! Rick van Rein OpenFortress.nl / ARPA2.net / InternetWide.org --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
