https://bugzilla.redhat.com/show_bug.cgi?id=469261
Resolves: bug 469261
Bug Description: Support server-to-server SASL - kerberos improvements
Reviewed by: ???
Files: see diff
Branch: HEAD
Fix Description: I made several improvements to the kerberos code at
Simo's suggestion
First look for the principal in the ccache. If not found, use the
username if it does not look like a DN. If still not found, construct a
principal using the krb5_sname_to_principal() function to construct
"ldap/fqdn@REALM".
Next, see if the credentials for this principal are still valid. In
order to grab the credentials from the ccache, I needed to construct the
server principal, which in this case is the TGS service principal (e.g.
krbtgt/REALM@REALM). If the credentials are present and not expired,
then the code assumes they are ok and does not acquire new credentials.
If the credentials are expired or not found, the code will then use the
keytab to authenticate.
Platforms tested: Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
https://bugzilla.redhat.com/attachment.cgi?id=322788&action=diff
--
Fedora-directory-devel mailing list
Fedora-directory-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
