#50017 Outgoing connections using sasl gssapi auth mechanism should use gssapi API rather than direct krb5 calls
Closed: wontfix 3 years ago by spichugi. Opened 5 years ago by tbordaz.

Issue Description

When DS started supporting client side krb5 authentication for outgoing connection, it used direct krb5 calls. This calls should be deprecated and rather use gssapi api.

The current code is working but is fragile and difficult to support. The move to gssapi should also improve performance for example allowing parallel auth (see bz 1633089)

Package Version and Platform

since 1.2 , all platform

Steps to reproduce

There is no bug. The easiest way to reproduce the environment is to install freeipa master/replica. The RA will use gssapi authentication between the replicas.

Actual results

NA

Expected results

NA


Cleanup will impact ldaputil.c (but likely others). More specifically all the code in set_krb5_cred should be changed with gssapi call (like gss_acquire_cred_from,...)

Metadata Update from @tbordaz:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None

5 years ago

Metadata Update from @mreynolds:
- Issue set to the milestone: 1.4.1

5 years ago

Metadata Update from @mreynolds:
- Issue set to the milestone: 1.4.4 (was: 1.4.1)
- Issue tagged with: RFE

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/3076

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata