On 6/15/08, kul gupta wrote:
> I am very new to kerborose and GSSAPI
> I will highly appreciate for the guidance for the issues below-
> I am bit confused about cyrus SASL and GSSAPI
> I have an authentication server (AS) which is kerborised
> Client gets the TGT using -kinit
> Now i need to use GSSAPI for authentication using GSSAPI
> 1) DO i need to have cyrus SASL also ?? or only kerborose will do??

Hi Ruchita,

SASL and GSSAPI are two of several abstraction layers that are used to
authenticate peers in different networking protocols. For example, an
LDAP bind can use SASL which in turn can use GSSAPI whereas some HTTP
clients can use GSSAPI directly. Why we need all of these layers I do
not know but if you are using a protocol that uses SASL then yes you
need SASL. If you are adding Kerberos authentication to your own
networking protocol, then you do not need SASL and should probably
just use GSSAPI directly. You could also skip the GSSAPI layer and use
the Kerberos API directly but in practice there are a number of
advantages to using GSSAPI.

> 2) When i tried to run the example provided by SUN , i am getting following
> errors-
> gssapi_ext.h- No such file directory
> gssapi-misc.h-No such file directory
> I also tried to search these files in my system(Red hat enterprise linux
> 5.0),but these files are not present.

RedHat ships with the MIT distribution of Kerberos. Install the
kerberos-devel package and adjust the source code of your examples to
use those header files. Or download the MIT source package and try the
examples shipped with it with your RH provided system libraries. The
later would probably be easier since those examples are designed to
build with MIT libraries shipped with RH.


Michael B Allen
PHP Active Directory SPNEGO SSO