Re: Cross Realm HELP

[Buck Huppmann <buckh@pobox.com>]

> I can also use OpenLDAP and SASL (GSSAPI (Kerberos)) to connect to an LDAP
> directory. I first do the above to authenticate myself with Kerberos, store
> the credentials, and connect to the LDAP directory
> (ldap_sasl_interactive_bind_s()). However, this only works when the user and
> the LDAP directory are in the same realm.
> 
> I'm wondering if I'm supposed to first authenticate to the realm where the
> ldap server is before using ldap_sasl_interactive_bind_s()? Do I need to
> pass something in the krb5_get_init_creds_password() to authenticate to
> another realm? Am I missing something else entirely? Any help would be
> greatly appreciated!

you have two options

1. authenticate as a a user in the realm of the LDAP server, as
   you suggest. then the KDC for the LDAP server realm will be able
   to handle everything

2. set up a cross-realm key between the realm you want to get initial
   credentials in and the realm of the LDAP server. see
   http://www.pdc.kth.se/heimdal/heimdal.html#Cross-realm

both of these require that you either have a [realms] krb5.conf entry
for the realm of the ldap server (and any required [domain_realm] con-
figuration) or that the realm and its KDCs are discernible by DNS look-
up (and you have dns_lookup_kdc = true in [libdefaults], if your heim-
dal installation is older). see
http://www.pdc.kth.se/heimdal/heimdal.html#Configuration-file and/or
http://www.pdc.kth.se/heimdal/heimdal.html#Setting-up-DNS if any
of this is news to you