Outgoing connections using sasl gssapi auth mechanism should use gssapi API rather than direct krb5 calls

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/50017

• Created at 2018-11-08 12:30:43 by tbordaz (@tbordaz)
• Assigned to nobody

---

Issue Description

When DS started supporting client side krb5 authentication for outgoing connection, it used direct krb5 calls. This calls should be deprecated and rather use gssapi api.

The current code is working but is fragile and difficult to support. The move to gssapi should also improve performance for example allowing parallel auth (see bz 1633089)

Package Version and Platform

since 1.2 , all platform

Steps to reproduce

There is no bug. The easiest way to reproduce the environment is to install freeipa master/replica. The RA will use gssapi authentication between the replicas.

Actual results

NA

Expected results

NA

[389-ds-bot]

Comment from tbordaz (@tbordaz) at 2018-11-08 12:32:43

Cleanup will impact ldaputil.c (but likely others). More specifically all the code in set_krb5_cred should be changed with gssapi call (like gss_acquire_cred_from,...)

[389-ds-bot]

Comment from tbordaz (@tbordaz) at 2018-11-08 12:32:46

Metadata Update from @tbordaz:

• Custom field component adjusted to None
• Custom field origin adjusted to None
• Custom field reviewstatus adjusted to None
• Custom field type adjusted to None
• Custom field version adjusted to None

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2018-11-15 17:58:57

Metadata Update from @mreynolds389:

• Issue set to the milestone: 1.4.1

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2020-02-26 16:59:28

Metadata Update from @mreynolds389:

• Issue set to the milestone: 1.4.4 (was: 1.4.1)
• Issue tagged with: RFE