lists.arthurdejong.org
RSS feed

Re: [nssldap] Daemon use of Kerberos with credentials renewal

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: [nssldap] Daemon use of Kerberos with credentials renewal

I did post a patch some time ago which does renew credentials when required. Have a look at do_init_krb5_cache in http://netjoin.sf.net/nss_ldap-253-keytab.patch
 
Markus
 
----- Original Message -----
Sent: Thursday, July 26, 2007 2:21 PM
Subject: [nssldap] Daemon use of Kerberos with credentials renewal

I posted a modification to the nss_ldap code (against 252) to allow daemons to use central Credential Caches - this is a basic access check. This patch works fine but whenever the credentials are renewed then the daemon using them needs to be restarted. What I would like to do is to add a facility whereby the LDAP connection is abandoned and reconnected whenever the mtime on the file changes (Hence the credentials have been refreshed). The hook would seem to be the do_open procedure in ldap-nss.c. However, calling stat on the file everytime this procedure is entered will kill the system (performance will be awful) - so ideally we should decode the credentials cache and find out when the ticket expires when we actually do the bind. This then needs to be saved in the session structure and checked to see if the ticket has expired. Anybody know what code I need to call to do this?