[CDRIVER-792] Investigate replacing cyrus-sasl with libkrb5/heimdal for GSSAPI Created: 10/Aug/15 Updated: 11/Dec/18 Resolved: 25/May/17 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 1.7.0 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Bernie Hackett | Assignee: | Hannes Magnusson |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Epic Link: | Native SASL | ||||||||
| Description |
|
This could simplify builds on OSX and other platforms (at the very least removing a build dep on OSX). Note that OSX Lion replaced MIT Kerberos with Heimdal, which is API compatible. https://wiki.ncsa.illinois.edu/display/ITS/Kerberos+on+Mac+OS+X+10.7+and+later |
| Comments |
| Comment by Hannes Magnusson [ 25/May/17 ] |
|
The task as described is concluded. It was a mistake to actually use cyrus-sasl for anything at all and we should have gone with RFC compliant implementation from the get-go. This will give use support for macOS native GSS framework, and we could technically completely remove cyrus-sasl as afaict all platform support one or another RFC compliant library... Although I am an not suggesting we do so in the near term. To that end, see |
| Comment by Hannes Magnusson [ 20/Apr/17 ] |
|
plumbs: https://github.com/bjori/mongo-c-driver/commit/6c6eee4c8ff78e79829721a2164dc346973233aa |
| Comment by Hannes Magnusson [ 28/Mar/17 ] |
|
The "GSS Framework" seems to be API compatible with the legacy "gssapi"/heimdal libraries. |
| Comment by Bernie Hackett [ 28/Mar/17 ] |
|
That's the high level GSSAPI API from https://tools.ietf.org/html/rfc2743, which both MIT krb5 and heimdal (including Apple's version of heimdal) implement. Also, pykerberos is an Apple library (note the github project). |
| Comment by Hannes Magnusson [ 28/Mar/17 ] |
|
Apple has deprecated all implementations except for the one they provide as part of their "Frameworks", GSS. https://developer.apple.com/reference/gss/gss_functions?language=objc |
| Comment by Bernie Hackett [ 28/Mar/17 ] |
|
bjori, this could be handled in the same manner as SSPI support, just using pykerberos as a reference instead of winkerberos: https://github.com/apple/ccs-pykerberos/blob/master/src/kerberosgss.c That project works with both libkrb5 and heimdal. |
| Comment by A. Jesse Jiryu Davis [ 27/Mar/17 ] |
|
Good point. |
| Comment by Bernie Hackett [ 27/Mar/17 ] |
|
Native auth on OSX? The native GSSAPI library on OSX is heimdal. We still require cyrus-sasl for OSX AFAIK. |
| Comment by A. Jesse Jiryu Davis [ 27/Mar/17 ] |
|
Superseded by native auth on OSX and Windows. |