From: Ken Hornstein (kenh at cmf dot nrl dot navy dot mil)
Date: Tue Jun 29 2004 - 10:46:51 EDT
>On Tue, Jun 29, 2004 at 12:29:58PM +0200, Jukka Salmi wrote:
>> According to the SASL documentation (see below "Plugins (SASL Mechanisms")
>> you're (almost) right.
>>  http://asg.web.cmu.edu/cyrus/download/sasl/components.html
>That helps, thanks. It's a difficult enough topic to try to explain to the
>non-initiated, though. I'm still trying to come up with a simple drawing.
The problem with talking about this topic is that there is a number of
layers you need to have a reasonable understand about before you can
make sense of the whole mess:
- Kerberos, and how it performs authentication
- GSSAPI, and how it relates to Kerberos
- SASL mechanisms (of which GSSAPI is only one).
I use a GSSAPI SASL mechanism every day in production, but there are so
many layers involved I'm sometimes surprised that it works at all :-)
Just as a side note: it's not really talked about in the SASL documentation
that much, but for a valid Kerberos infrastructure you need a secret stored
on the server that is shared with the KDC (this is put into place by the
Kerberos administrator, generally). This might help you to fill in the
blanks a bit.