site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Thread-index: AcY8o0MdgXrfQaiWEdqIKgANk8YL5g== Thread-topic: Kerberos authentication with dsDoDirNodeAuth ? User-agent: Microsoft-Entourage/10.1.0.2418 I don't think it is possible to use your TGT to do a dsDoDirNodeAuth with the LDAP plug-in. It sounds like you would need to do this to make it work seamlessly. You might look at the LDAP plug-in source code though to make sure there isn't some special way that it handles dsDoDirNodeAuth.

From: Nigel Kersten <nigel@cofa.unsw.edu.au> Date: Wed, 1 Mar 2006 05:23:43 +1100 To: Paul Nelson <nelson@thursby.com> Cc: <darwin-dev@lists.apple.com> Subject: Re: Kerberos authentication with dsDoDirNodeAuth ?

On 01/03/2006, at 1:19 AM, Paul Nelson wrote:

...

It would help if you can tell us why you are doing the dsDoDirNodeAuth.

Because I want to authenticate to the node? :)

I'm using in-directory ACLs to allow network account users to edit their own Contqct info, and would like to take advantage of the fact that all my users have Kerberos identities.

...

What directory service node are you trying to authenticate with?

A vanilla Open Directory Master LDAP node.

...

Does the user already have a Kerberos ticket granting ticket in their cache? You can check for the TGT using 'klist'.

Yes, I know. Irrespective of whether the user currently has a TGT or not, I can't work out how to this, or whether it's even possible in the DirectoryService API.

Thanks,

Nigel

-- Nigel Kersten [Senior Technical Officer] College of Fine Arts, University of NSW, Australia. CRICOS Provider Code: 00098G

_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... This email sent to site_archiver@lists.apple.com smime.p7s