[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL/GSSAPI with multiple Kerberos realms?




On Friday, February 21, 2003, at 12:15 PM, Stephen Frost wrote:

If you can't do cross-realm trust then the person in realm B isn't going
to be able to get an ldap/<ldap server>@A ticket to talk to the ldap
server with... If you do set up a cross-realm TGT so that the person in
realm B can get that ldap/<ldap server>@A ticket then, using OpenLDAP
2.1.12, they should show up in LDAP as:
dn:uid=person,cn=B,cn=gssapi,cn=auth

Thanks. I forgot to mention that we're still on 2.0.27 but I assume that the dn will just be in that format then (e.g. uid=person+REALM=B). I will present this to our Kerberos admins and see what they say.


Allan