[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cross Realm HELP


   Thanks for your reply.

   In my particular configuration, there is a realm called "PARENT.EXAMPLE.COM", and two children realms called "CHILD1.EXAMPLE.COM", and "CHILD2.EXAMPLE.COM". Cross realm trusts exist so that if I authenticate into CHILD1, I can traverse to PARENT, and then to CHILD2, where the LDAP directory resides.

   My krb5.conf file is setup correctly because another application can successfully accomplish what I'm after. It logs into CHILD1, traverses realms until it gets to CHILD2, and binds to the LDAP Directory. So from this I'm assuming the krb5.conf and the necessary trusts are setup properly.

   After we know our environment is in working order, what's the code look like? Is there something I pass to my heimdal calls that tell it to authenticate to one realm, but then traverse realms until you get to another realm where the ldap directory is? Or should the OpenLDAP take care of this for me in ldap_sasl_interactive_bind_s()?
   I'm a little confused as to who's responsibility it is to traverse the realms. Do I need to put it in the code myself? Can Heimdal magically take care of this for me? Does the OpenLDAP or Cyrus SASL libraries take care of this for me? Again, any help is greatly appreciated!


 - Jeremiah

On 9/20/05, Buck Huppmann <buckh@pobox.com > wrote:
> I can also use OpenLDAP and SASL (GSSAPI (Kerberos)) to connect to an LDAP
> directory. I first do the above to authenticate myself with Kerberos, store
> the credentials, and connect to the LDAP directory
> (ldap_sasl_interactive_bind_s()). However, this only works when the user and
> the LDAP directory are in the same realm.
> I'm wondering if I'm supposed to first authenticate to the realm where the
> ldap server is before using ldap_sasl_interactive_bind_s()? Do I need to
> pass something in the krb5_get_init_creds_password() to authenticate to
> another realm? Am I missing something else entirely? Any help would be
> greatly appreciated!

you have two options

1. authenticate as a a user in the realm of the LDAP server, as
   you suggest. then the KDC for the LDAP server realm will be able
   to handle everything

2. set up a cross-realm key between the realm you want to get initial
   credentials in and the realm of the LDAP server. see

both of these require that you either have a [realms] krb5.conf entry
for the realm of the ldap server (and any required [domain_realm] con-
figuration) or that the realm and its KDCs are discernible by DNS look-
up (and you have dns_lookup_kdc = true in [libdefaults], if your heim-
dal installation is older). see
http://www.pdc.kth.se/heimdal/heimdal.html#Configuration-file and/or
http://www.pdc.kth.se/heimdal/heimdal.html#Setting-up-DNS if any
of this is news to you