Re: [PATCH] GSSAPI credentials

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Alexey Melnikov wrote:

Howard Chu wrote:


This patch implements the SASL_GSS_CREDS property, which was defined
in sasl.h back in 2005.

http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&searchterm=sasl_gss_creds&msg=7600


Applications need this functionality to make use of Kerberos
Services4User features.

http://k5wiki.kerberos.org/wiki/Projects/Services4User

Setting the credential in the SASL client will allow it to use an
S4U2Proxy credential, among other things.

Additional patches will still be needed to allow a SASL server to take
advantage of this feature, as mentioned in my previous email. But this
is a small first step just to get the ball rolling.


Hi Howard,
This looks fine, but let me ask some questions on your patch:


Index: lib/common.c
===================================================================
RCS file: /cvs/src/sasl/lib/common.c,v
retrieving revision 1.124
diff -u -r1.124 common.c
--- lib/common.c	20 Feb 2009 23:10:53 -0000	1.124
+++ lib/common.c	10 May 2010 08:04:24 -0000
@@ -1238,6 +1238,13 @@
       }
       break;

+  case SASL_GSS_CREDS:
+      if(conn->type == SASL_CONN_CLIENT)
+          ((sasl_client_conn_t *)conn)->cparams->gss_creds = value;
+      else
+          ((sasl_server_conn_t *)conn)->sparams->gss_creds = value;
+      break;
+


What about updating sasl_getprop() to match?
Sure. I didn't think it was too important since the calling app is the only thing that can set it, it must already have it. 


Index: plugins/gssapi.c
===================================================================
RCS file: /cvs/src/sasl/plugins/gssapi.c,v
retrieving revision 1.109
diff -u -r1.109 gssapi.c
--- plugins/gssapi.c	24 Feb 2010 22:41:18 -0000	1.109
+++ plugins/gssapi.c	10 May 2010 08:04:24 -0000
@@ -657,6 +657,7 @@
     OM_uint32 max_input;
     gss_buffer_desc name_token;
     int ret, out_flags = 0 ;
+    gss_cred_id_t server_creds = params->gss_creds;


GSS_C_NO_CREDENTIAL is defined as "((gss_cred_id_t) 0)" in RFC 2744, so
no extra initialization is needed.
This is not simply initialization, it's retrieving the value that a caller set, if any. 


Have you compiled this change against both MIT and Heimdal?
Yes, using MIT Kerb 1.8.1 and Heimdal 1.2.1. (Not the latest Heimdal I know, but I don't think this is particularly version dependent.) 

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux