LDAP, MIT Kerberos and SPNEGO

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP, MIT Kerberos and SPNEGO

Arpit Srivastava
Hi,

I have a Java LDAP client and my AD-based LDAP server supports GSS-SPNEGO
mechanism for bind requests. I am trying to bind to LDAP server using
SPNEGO, and using MIT Kerberos (I have built the 1.11.3 version) library
for Kerberos GSS API implementation. However, I have following queries:

1. Does MIT Kerberos library support GSS-SPNEGO ?
(because I am getting libc error from Kerberos library if I set oid for
GSS-SPENGO, in org.ietf.jgss createContext() method, however, if set the
same for Kerberos, it just works fine.)

2. As in HTTP Negotitate authentication, we attach 'Negotiate AuthToken'
 in Authentication header in HTTP GET requests, what should be the
procedure for LDAP bind requests for SPNEGO (which should resolve to
Kerberos) which go as TCP packets ?

Regards,
Arpit
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: LDAP, MIT Kerberos and SPNEGO

Simo Sorce
----- Original Message -----

> Hi,
>
> I have a Java LDAP client and my AD-based LDAP server supports GSS-SPNEGO
> mechanism for bind requests. I am trying to bind to LDAP server using
> SPNEGO, and using MIT Kerberos (I have built the 1.11.3 version) library
> for Kerberos GSS API implementation. However, I have following queries:
>
> 1. Does MIT Kerberos library support GSS-SPNEGO ?
> (because I am getting libc error from Kerberos library if I set oid for
> GSS-SPENGO, in org.ietf.jgss createContext() method, however, if set the
> same for Kerberos, it just works fine.)
>
> 2. As in HTTP Negotitate authentication, we attach 'Negotiate AuthToken'
>  in Authentication header in HTTP GET requests, what should be the
> procedure for LDAP bind requests for SPNEGO (which should resolve to
> Kerberos) which go as TCP packets ?

Arpit,
I am not sure about the Java cient, but using OpenLDAP libraries linked
against cyrus-sasl all you need to do is to use GSS-SPNEGO as the SASL
method, and it works.

Simo.

--
Simo Sorce * Red Hat, Inc. * New York
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev