On 5/30/07, Guus Leeuw jr. <guus.leeuw@xxxxxxxxxxxxxxx> wrote:
Hi, looking at OpenLDAP and KRB5, the question really boils down to: Why do you want to rebind through OpenLDAP in case mod_auth_kerb has already got the ticket in the first place?
Well, for example, if I build LDAP web interface, I want to use user's credentials that I've got from the web browser to browse ldap server.
OpenLDAP's ldapsearch has an option -Y GSSAPI which acts pretty much like -x, but uses the kerberos ticket that is already there. Normally you'd do something similar in PHP (and extend PHP in case something similar is not available). From the top of my head, I don't think that OpenLDAP is re-binding in the case of -Y GSSAPI, so they must call something similar that, presumably, is available in the LDAP API. I'm not sure how standard -Y GSSAPI is, though.
Its not on LDAP layer. From what we've saw, the problem is on GSSAPI layer.
Ultimately, using Kerberos, you'd want your user to log in *once* and make sure that LDAP can re-use the ticket. Why else bother with kerberos based authentication in the first place ;) On another note, did you look at PHP's LDAP Connection caching, making sure that that doesn't screw up the bill?
We've added many printouts to related functions in PHP source code, and the call sequence is similar. Again, neither LDAP, nore SASL are not aware of kerberos at all. The problem is that when you clean GSSAPI context, default credentials location of underlying krb5 context is not cleaned (and keeps to point to file which will not exist on next session). -- Zaar
