[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap 2.4.6 and GSSAPI/kerberos

To: Howard Chu <hyc@symas.com>
Subject: Re: openldap 2.4.6 and GSSAPI/kerberos
From: "David E. Cross" <crossd@cs.rpi.edu>
Date: Mon, 19 Nov 2007 16:45:07 -0500 (EST)
Cc: openldap-software@openldap.org
In-reply-to: <4741FE11.2040008@symas.com>
References: <20071119152019.H94085@monica.cs.rpi.edu> <4741FE11.2040008@symas.com>

2:
Usually one would expect "3:" to come after "2:" ...

Heh, fair enough.

You haven't read the documentation. Section 13.2.4: Note also that the realm part will be omitted if the default realm was used in the authentication.

The SASL library always omits the realm if it matches the default realm. This is also documented in the FAQ and the Cyrus SASL docs.

Ok, fair enough and its what I was intuitively guessing, I just wanted to make sure that I wasn't opening myself up in the advent that I enabled cross-realm keys and the realm was ignored. This is amazingly unclear in section 13.2.1 where its discussed "your realm" 'EXAMPLE.COM' and setting the cn to be that explicitly. Especially given that the mapping section is referenced with the note that you don't have to do this.

I'll write a request off to the documentation people to fix these, or to at least make it more obvious.

--
David E. Cross

References:
- openldap 2.4.6 and GSSAPI/kerberos
  - From: "David E. Cross" <crossd@cs.rpi.edu>
- Re: openldap 2.4.6 and GSSAPI/kerberos
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: openldap 2.4.6 and GSSAPI/kerberos
Next by Date: RE: Enabling TLS problem on openldap2-2.3.39
Index(es):
- Chronological
- Thread