[Pdns-dev] Patch to add GSSAPI authentication to the LDAP backend

bert hubert bert.hubert at netherlabs.nl
Mon Jul 25 17:03:20 CEST 2011

Hi Gregory! Many thanks for this!

Nick, as you "own" the LDAP backend now, could you let me know your thoughts?
You can get the patches from the pdns-dev archive which can be found from


On Mon, Jul 18, 2011 at 09:51:35PM +0200, Grégory Oestreicher wrote:
> Hi All,
> I've added for my needs GSSAPI authentication to the LDAP backend and thought 
> it may be nice to share. I've developed using Heimdal Kerberos, and MIT 
> Kerberos may not work out of the box.
> The original patchset was developed against PowerDNS 2.9.22 (the 2.9.22-0* 
> files) and is the most tested. I've ported it to trunk (the trunk-0* files). The 
> only test was "does it compile (y/n)". It does, and as the code is the same it 
> should work fine too.
> GSSAPI is controlled by the following configuration directives:
> - ldap-bindmethod: 'simple' or 'gssapi', defaulting to 'simple'. The method to 
> use to bind to the LDAP server. 'simple' keeps the original behavior.
> - ldap-krb5-keytab: no default. The path to the file holding the keytab to use 
> to get a TGT. This file must only be readable by the PowerDNS account.
> - ldap-krb5-ccache: no default, using the Kerberos implementation values. The 
> path to the credentials cache file. If using the default value then credentials 
> will be stored in /tmp/krb5cc_<uid>, which may not be the expected behavior.
> Cheers,
> Grégory

> _______________________________________________
> Pdns-dev mailing list
> Pdns-dev at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-dev

More information about the Pdns-dev mailing list