[17460] in Kerberos_V5_Development
Disabling PA-REQ-ENC-PA-REP (149) preauth?
daemon@ATHENA.MIT.EDU (Aleksander Adamowski)
Sat Jan 14 10:04:48 2012
MIME-Version: 1.0
From: Aleksander Adamowski <krb5@olo.org.pl>
Date: Sat, 14 Jan 2012 16:04:18 +0100
Message-ID: <CADTpmS5X_aAzitGZwr6oe5SDqh_5iocDKYa7=pzMZgGw5qcXvA@mail.gmail.com>
To: krbdev@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi!
I'm working on a proof of concept integration of Kerberos and LDAP
protocols (namely, transporting Kerberos V5 messages using LDAPv3
extended operations - basically using LDAPv3 instead of plain TCP as
carrier protocol for Kerberos).
I've given the code name "KrbLDAP" to the integrated Kerberos+LDAP protocol.
I'm publishing my work on Github - my 3 repositores are located here:
https://github.com/aadamowski
These are Github forks of official MIT krb5, Fedora's pam_krb5 (which
in my experiment serves the role of a client used to launch the
integration test) and a new repo "apacheds-krbldap-test" that uses
Apache Directory Server's extensibility and support for both LDAP and
Kerberos to implement a proof of concept KrbLDAP server.
At this stage, I've managed to successfully encode Kerberos AS-REQ
message inside a LDAPv3 extended request and send it to the server.
The server receives it, and after extracting the Kerberos message,
feeds it to its Kerberos protocol handler.
All is well, but the problem is that the latest trunk version of
libkrb5 seems to use an experimental PA-REQ-ENC-PA-REP (149) pre
authentication (with an empty preauth value) that's currently part of
a draft specification for Kerberos Referrals
(http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-13).
Obviously, Apache DS's Kerberos protocol handler doesn't yet know
about such preauth and returns an error message.
Is there a way to disable this behaviour in libkrb5?
--
Best Regards,
Aleksander Adamowski
http://olo.org.pl
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
