Open emersion opened 5 years ago
simo5
commented
3 years ago If you ever want to implement this I suggest you do it via bindings to libgssapi.so (dynamically load if present, if not present your user is definitely not using kerberos on their machine anyway).
emersion
commented
3 years ago I'd rather not. I'd prefer to just provide the wire marshalling, define an interface, and letting users implement it with whatever kerberos lib they want.
simo5
commented
3 years ago Well on the wire there isn't much going, the meat of the SASL/GSSAPI mechanism is in calling gss_init_sec_context() repeatedly and shuffling along the binary blobs you get back. But as long as there is no intention of implementing kerberos or gssapi here all is good :-)
Just note that there are basically there "gssapi" SASL protocols that are used: GSSAPI (traditionally on unix like systems) GSS-SPNEGO (very similar to GSSAPI but used for compatibility with Microsoft systems) and the new GS2 mechanism that doesn't have wide usage as far as I know.
GSSAPI and GSS-SPNEGO are very close and can share most of the machinery, they are implemented in the same plugin in cyrus-sasl for example.
HTH.
See https://tools.ietf.org/html/rfc4752