kerbetization of mail client

Xu, Qiang (FXSGSC) Qiang.Xu at fujixerox.com
Tue Apr 20 21:38:09 EDT 2010


> -----Original Message-----
> From: Henry B. Hotz [mailto:hotz at jpl.nasa.gov] 
> Sent: Wednesday, April 21, 2010 1:15 AM
> To: Xu, Qiang (FXSGSC)
> Cc: cyrus-sasl at lists.andrew.cmu.edu
> Subject: Re: kerbetization of mail client
> 
> No.
> 
> This should all happen automatically, and be done by the 
> kerberos libraries.

In LDAP Kerbetization, I must provide an interface function and some sasl callback, like the following: 
=========================================================
static char *sasl_mech = "GSSAPI";
static int sasl_flags = LDAP_SASL_QUIET;
...
/* warning! - the following requires intimate knowledge of sasl.h */
static char *default_values[] = {
    "", /* SASL_CB_USER         0x4001 */
    "", /* SASL_CB_AUTHNAME     0x4002 */
    "", /* SASL_CB_LANGUAGE     0x4003 */ /* not used */
    "", /* SASL_CB_PASS         0x4004 */
    "", /* SASL_CB_ECHOPROMPT   0x4005 */
    "", /* SASL_CB_NOECHOPROMPT 0x4006 */
    "", /* SASL_CB_CNONCE       0x4007 */
    ""  /* SASL_CB_GETREALM     0x4008 */
};

/* this is so we can use SASL_CB_USER etc. to index into default_values */
#define VALIDVAL(n) ((n >= SASL_CB_USER) && (n <= SASL_CB_GETREALM))
#define VAL(n) default_values[n-0x4001]
...
static int example_sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *prompts) 
{
	sasl_interact_t		*interact = NULL;

	if (prompts == NULL) 
	{
		return (LDAP_PARAM_ERROR);
	}

	for (interact = prompts; interact->id != SASL_CB_LIST_END; interact++) 
	{
        	if (VALIDVAL(interact->id)) 
        	{
            		interact->result = VAL(interact->id);
            		interact->len = strlen((char *)interact->result);
        	}
	}
	return (LDAP_SUCCESS);
}
...
  ldapHandle = prldap_init(primaryIP, primaryServerPort, 0);
  ldapStatus = ldap_sasl_interactive_bind_ext_s(ldapHandle, "", sasl_mech,
                                           	NULL, NULL, sasl_flags,
                                           	example_sasl_interact, NULL, &responseControls);
=========================================================
So I guess some similar routines must be provided for the authentication of the mail client against the mail server, using the kerberos TGT. You mean I don't need to provide such interfaces? Then, when the server requires authentication from the client, what should I do to log into the mail server?

Thanks,
Xu Qiang


More information about the Cyrus-sasl mailing list