> -----Original Message----- > From: Henry B. Hotz [mailto:hotz@xxxxxxxxxxxx] > Sent: Wednesday, April 21, 2010 1:15 AM > To: Xu, Qiang (FXSGSC) > Cc: cyrus-sasl@xxxxxxxxxxxxxxxxxxxx > Subject: Re: kerbetization of mail client > > No. > > This should all happen automatically, and be done by the > kerberos libraries. In LDAP Kerbetization, I must provide an interface function and some sasl callback, like the following: ========================================================= static char *sasl_mech = "GSSAPI"; static int sasl_flags = LDAP_SASL_QUIET; ... /* warning! - the following requires intimate knowledge of sasl.h */ static char *default_values[] = { "", /* SASL_CB_USER 0x4001 */ "", /* SASL_CB_AUTHNAME 0x4002 */ "", /* SASL_CB_LANGUAGE 0x4003 */ /* not used */ "", /* SASL_CB_PASS 0x4004 */ "", /* SASL_CB_ECHOPROMPT 0x4005 */ "", /* SASL_CB_NOECHOPROMPT 0x4006 */ "", /* SASL_CB_CNONCE 0x4007 */ "" /* SASL_CB_GETREALM 0x4008 */ }; /* this is so we can use SASL_CB_USER etc. to index into default_values */ #define VALIDVAL(n) ((n >= SASL_CB_USER) && (n <= SASL_CB_GETREALM)) #define VAL(n) default_values[n-0x4001] ... static int example_sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *prompts) { sasl_interact_t *interact = NULL; if (prompts == NULL) { return (LDAP_PARAM_ERROR); } for (interact = prompts; interact->id != SASL_CB_LIST_END; interact++) { if (VALIDVAL(interact->id)) { interact->result = VAL(interact->id); interact->len = strlen((char *)interact->result); } } return (LDAP_SUCCESS); } ... ldapHandle = prldap_init(primaryIP, primaryServerPort, 0); ldapStatus = ldap_sasl_interactive_bind_ext_s(ldapHandle, "", sasl_mech, NULL, NULL, sasl_flags, example_sasl_interact, NULL, &responseControls); ========================================================= So I guess some similar routines must be provided for the authentication of the mail client against the mail server, using the kerberos TGT. You mean I don't need to provide such interfaces? Then, when the server requires authentication from the client, what should I do to log into the mail server? Thanks, Xu Qiang
