Re: KRB5 context is not updated when starting a new Apache session (using mod_auth_kerb)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/30/07, Guus Leeuw jr. <guus.leeuw@xxxxxxxxxxxxxxx> wrote:
Hi,

looking at OpenLDAP and KRB5, the question really boils down to:
Why do you want to rebind through OpenLDAP in case mod_auth_kerb has already
got the ticket in the first place?
Well, for example, if I build LDAP web interface, I want to use user's
credentials that I've got from the web browser to browse ldap server.


OpenLDAP's ldapsearch has an option -Y GSSAPI which acts pretty much like -x,
but uses the kerberos ticket that is already there. Normally you'd do
something similar in PHP (and extend PHP in case something similar is not
available). From the top of my head, I don't think that OpenLDAP is re-binding
in the case of -Y GSSAPI, so they must call something similar that,
presumably, is available in the LDAP API. I'm not sure how standard -Y GSSAPI
is, though.
Its not on LDAP layer. From what we've saw, the problem is on GSSAPI layer.


Ultimately, using Kerberos, you'd want your user to log in *once* and make
sure that LDAP can re-use the ticket. Why else bother with kerberos based
authentication in the first place ;)

On another note, did you look at PHP's LDAP Connection caching, making sure
that that doesn't screw up the bill?
We've added many printouts to related functions in PHP source code,
and the call sequence is similar. Again, neither LDAP, nore SASL are
not aware of kerberos at all. The problem is that when you clean
GSSAPI context, default credentials location of underlying krb5
context is not cleaned (and keeps to point to file which will not
exist on next session).

--
Zaar

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux