[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL/GSSAPI with multiple Kerberos realms?

To: Allan Streib <astreib@indiana.edu>
Subject: Re: SASL/GSSAPI with multiple Kerberos realms?
From: Stephen Frost <sfrost@snowman.net>
Date: Fri, 21 Feb 2003 12:15:43 -0500
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <0A205530-45BD-11D7-889E-000393033826@indiana.edu>
References: <0A205530-45BD-11D7-889E-000393033826@indiana.edu>
User-agent: Mutt/1.4i

* Allan Streib (astreib@indiana.edu) wrote:
> I'm wondering if it is possible to get SASL/GSSAPI working with 
> multiple realms.  We have sevaral Kerberos realms here and everything 
> is working find within realm A but I have a client in realm B that 
> would like to access the LDAP server.  Any suggestions or pointers to 
> documentation?  Cross-realm trust is not an option.  Thanks!

If you can't do cross-realm trust then the person in realm B isn't going
to be able to get an ldap/<ldap server>@A ticket to talk to the ldap
server with...  If you do set up a cross-realm TGT so that the person in
realm B can get that ldap/<ldap server>@A ticket then, using OpenLDAP
2.1.12, they should show up in LDAP as:
dn:uid=person,cn=B,cn=gssapi,cn=auth

So you can give that person whatever rights in the ACL list you want...
Obviously you can also use sasl-regexp to change that into a dn in your
LDAP directory.

	Stephen

Attachment: pgp1T8bGK78Nq.pgp
Description: PGP signature

Follow-Ups:
- Re: SASL/GSSAPI with multiple Kerberos realms?
  - From: Allan Streib <astreib@indiana.edu>
- Re: SASL/GSSAPI with multiple Kerberos realms?
  - From: Allan Streib <astreib@indiana.edu>

References:
- SASL/GSSAPI with multiple Kerberos realms?
  - From: Allan Streib <astreib@indiana.edu>

Prev by Date: Re: Correct Response from ldapsearch?
Next by Date: Re: LDAP + Apache + Error validating users
Index(es):
- Chronological
- Thread