E.2 How Does GSSAPI Work with eDirectory?

The following diagram illustrates how GSSAPI works with an LDAP server.

Figure E-1 How GSSAPI Works?

In the above figure, the numbers denote the following:

  1. An eDirectory user sends a request through an LDAP client to the Kerberos KDC (Key Distribution Center) server for an initial ticket known as a ticket granting ticket (TGT).

    A Kerberos KDC can be from MIT or Microsoft*.

  2. KDC responds to the LDAP client with a TGT.

  3. The LDAP client sends the TGT back to the KDC and requests an LDAP service ticket.

  4. KDC responds to the LDAP client with the LDAP service ticket.

  5. The LDAP client does an ldap_sasl_bind to the LDAP server and sends the LDAP service ticket.

  6. The LDAP server validates the LDAP service ticket with the help of the GSSAPI mechanism and, based on the result, sends back an ldap_sasl_bind success or failed to the LDAP client.