[CDRIVER-792] Investigate replacing cyrus-sasl with libkrb5/heimdal for GSSAPI Created: 10/Aug/15  Updated: 11/Dec/18  Resolved: 25/May/17

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: None
Fix Version/s: 1.7.0

Type: Task Priority: Major - P3
Reporter: Bernie Hackett Assignee: Hannes Magnusson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to CDRIVER-2170 Add support for RFC 2744 GSS-API Closed
Epic Link: Native SASL

 Description   

This could simplify builds on OSX and other platforms (at the very least removing a build dep on OSX). Note that OSX Lion replaced MIT Kerberos with Heimdal, which is API compatible.

https://wiki.ncsa.illinois.edu/display/ITS/Kerberos+on+Mac+OS+X+10.7+and+later



 Comments   
Comment by Hannes Magnusson [ 25/May/17 ]

The task as described is concluded.

It was a mistake to actually use cyrus-sasl for anything at all and we should have gone with RFC compliant implementation from the get-go.

This will give use support for macOS native GSS framework, and we could technically completely remove cyrus-sasl as afaict all platform support one or another RFC compliant library... Although I am an not suggesting we do so in the near term.

To that end, see CDRIVER-2170

Comment by Hannes Magnusson [ 20/Apr/17 ]

plumbs: https://github.com/bjori/mongo-c-driver/commit/6c6eee4c8ff78e79829721a2164dc346973233aa

Comment by Hannes Magnusson [ 28/Mar/17 ]

The "GSS Framework" seems to be API compatible with the legacy "gssapi"/heimdal libraries.
The difference is how you link in the libraries. The GSS Framework is supported by macOS 10.7+ & iPhone 5.0

Comment by Bernie Hackett [ 28/Mar/17 ]

That's the high level GSSAPI API from https://tools.ietf.org/html/rfc2743, which both MIT krb5 and heimdal (including Apple's version of heimdal) implement. Also, pykerberos is an Apple library (note the github project).

Comment by Hannes Magnusson [ 28/Mar/17 ]

Apple has deprecated all implementations except for the one they provide as part of their "Frameworks", GSS.

https://developer.apple.com/reference/gss/gss_functions?language=objc

Comment by Bernie Hackett [ 28/Mar/17 ]

bjori, this could be handled in the same manner as SSPI support, just using pykerberos as a reference instead of winkerberos:

https://github.com/apple/ccs-pykerberos/blob/master/src/kerberosgss.c

That project works with both libkrb5 and heimdal.

Comment by A. Jesse Jiryu Davis [ 27/Mar/17 ]

Good point.

Comment by Bernie Hackett [ 27/Mar/17 ]

Native auth on OSX? The native GSSAPI library on OSX is heimdal. We still require cyrus-sasl for OSX AFAIK.

Comment by A. Jesse Jiryu Davis [ 27/Mar/17 ]

Superseded by native auth on OSX and Windows.

Generated at Wed Feb 07 21:10:39 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.