smbd in master and kerberos SASL auth for passdb modules
Jeremy Allison
jra at samba.org
Mon Mar 19 15:02:24 MDT 2012
On Mon, Mar 19, 2012 at 10:36:06PM +0200, Alexander Bokovoy wrote:
> >
> > Can you be precise about the code changes you need please ?
> I need to authenticate LDAP connection with a mechanism other than
> simple bind. This could be solved generally by allowing to use a
> different bind method in smbldap_connect_system() in
> source3/lib/smbldap.c, like in the patch I made:
> http://abbra.fedorapeople.org/.paste/0001-Add-ability-to-use-external-callback-to-perform-LDAP.patch
>
> Adding bind callback support to smbldap would solve a problem of
> making own authenticator but it will not make SASL GSSAPI-based one
> working without ensuring smbd is built with a single Kerberos library.
>
> The rest can be done by an smbldap's user code and as
> http://abbra.fedorapeople.org/.paste/krb5_bind_test.c shows, the
> actual code is rather small (it would be a bit different in Heimdal
> variant but still small).
That doesn't seem too controvercial to me. Just get someone
who works on the LDAP code to review (vl?) and just push it.
> Guenther is looking into it, he might have already got some progress.
>
> I experimented with enabling MIT krb5 build in waf myself and one
> issue is that we currently have global set of defines across both
> source3 and source4 that affect both parts. We need to be able to
> switch certain groups of defines per subsystem in order to enable
> finer selection like triggering libkrb5 selection at least on
> source3/source4 level. When I enable global MIT krb5 build, I'm
> getting hit by heimdal not compilable because wrong include paths are
> used as parts of system wide Kerberos step over.
Hmmm. Waf stuff, not my area of expertise I'm afraid :-).
More information about the samba-technical
mailing list