c133.org/blog
Mon, 09 Feb 2004
.: oh how I hate gssapi ::

so now that I have a local kerberos server, and it hands out tickets like a champ, and life is good, the next (logical) step is to want to have single-sign-on for things like (say) my email.

KDE has a custom ground-up SASL implementation that supports LOGIN, PLAIN, CRAM-MD5 and DIGEST-MD5, but not GSSAPI (which is a layer on top of Kerberos). I took a look at it and decided that I could implement a GSSAPI function for the KDE SASL implementation. I had no idea that it'd be so damned frustrating. why is GSSAPI so complicated, and poorly-designed to boot?

if you think I'm joking, or complaining about nothing - the main function, gss_init_sec_context, takes THIRTEEN parameters. that's a lot of margin-for-error. one would think they might use custom data structures, ones more complicated than the standard struct with a void pointer and an int to indicate the length of the data, but no. of course not.

oh well. when I'm done, KDE will have a GSSAPI implementation, meaning that it should Just Work (TM) with any Kerberized service that uses SASL. Namely, this means IMAP servers and probably a few SMTP servers - having single-sign-on for these services will be great.

[15:47] | [tech/KDE] | # | G
.: mmm. kerberos. ::

so I finished setting up a working LDAP server here at home. with Kerberos, for that single-sign-on goodness. I can see why people dig this. I can also see why people fucking hate it. awesome features, complete and total pain in the ass to set up. honestly, I think I probably would rather have installed openBSD, and that's saying a lot.

but now that it's working, and I have it set up, I am a golden god.

[09:03] | [tech] | # | G