[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Cross Realm HELP
Thanks for your reply.
In my particular configuration, there is a realm called
"PARENT.EXAMPLE.COM", and two children realms called
"CHILD1.EXAMPLE.COM", and "CHILD2.EXAMPLE.COM". Cross realm trusts
exist so that if I authenticate into CHILD1, I can traverse to PARENT,
and then to CHILD2, where the LDAP directory resides.
My krb5.conf file is setup correctly because another
application can successfully accomplish what I'm after. It logs into
CHILD1, traverses realms until it gets to CHILD2, and binds to the LDAP
Directory. So from this I'm assuming the krb5.conf and the necessary
trusts are setup properly.
After we know our environment is in working order, what's
the code look like? Is there something I pass to my heimdal calls that
tell it to authenticate to one realm, but then traverse realms until
you get to another realm where the ldap directory is? Or should the
OpenLDAP take care of this for me in ldap_sasl_interactive_bind_s()?
I'm a little confused as to who's responsibility it is to
traverse the realms. Do I need to put it in the code myself? Can
Heimdal magically take care of this for me? Does the OpenLDAP or Cyrus
SASL libraries take care of this for me? Again, any help is greatly
On 9/20/05, Buck Huppmann <firstname.lastname@example.org
> I can also use OpenLDAP and SASL (GSSAPI (Kerberos)) to connect to an LDAP
> directory. I first do the above to authenticate myself with Kerberos, store
> the credentials, and connect to the LDAP directory
> (ldap_sasl_interactive_bind_s()). However, this only works when the user and
> the LDAP directory are in the same realm.
> I'm wondering if I'm supposed to first authenticate to the realm where the
> ldap server is before using ldap_sasl_interactive_bind_s()? Do I need to
> pass something in the krb5_get_init_creds_password() to authenticate to
> another realm? Am I missing something else entirely? Any help would be
> greatly appreciated!
you have two options
1. authenticate as a a user in the realm of the LDAP server, as
you suggest. then the KDC for the LDAP server realm will be able
to handle everything
2. set up a cross-realm key between the realm you want to get initial
credentials in and the realm of the LDAP server. see
both of these require that you either have a [realms]
for the realm of the ldap server (and any required [domain_realm] con-
figuration) or that the realm and its KDCs are discernible by DNS look-
up (and you have dns_lookup_kdc = true in [libdefaults], if your heim-
dal installation is older). see
http://www.pdc.kth.se/heimdal/heimdal.html#Setting-up-DNS if any
of this is news to you