Authenticate to LDAP with GSSAPI
William
william at firstyear.id.au
Sun Jun 14 04:48:46 CEST 2015
> > > > i vote for this functionality, too.
> > >
> > > You're free to write a patch and submit it.
> >
> > It's already supported. I just backported it from v3.1.x as SASL
> > non-interactive bind didn't seem to work for EXTERNAL binds (which
> > was the main reason I added SASL bind support).
> >
> > Regarding setting the keytab... no idea. How do you do it for
> > ldapsearch?
>
> Hmm, this explains the limitation:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=412017
>
> Apparently it's KRB5_KTNAME, there are probably other environmental
> variables to set other things...
>
You can specify it with KRB5_KTNAME if you want the LDAP library to
actually do the ktinit and manage the ccache itself. Alternatively, you
can do the ktinit from your own application (IE radiusd) and then
because the ccache is already created at that point, you can then pass
that to the ldap search routines and it will utilise the crendentials.
bind-dyndb-ldap has a good simple example of this.
So anyway, what I'm gathering from this response is:
* It's not currently supported
* It would be nice to have
Thanks all for the fast response,
Sincerely,
William
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150614/712b9991/attachment-0001.sig>
More information about the Freeradius-Users
mailing list