Re: [nssldap] Re: Daemon use of Kerberos with credentials renewal

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Howard Wilkinson <howard [at] cohtech.com>
To: Markus Moeller <huaraz [at] moeller.plus.com>
Cc: nssldap [at] padl.com
Subject: Re: [nssldap] Re: Daemon use of Kerberos with credentials renewal
Date: Fri, 27 Jul 2007 09:32:57 +0100

Title: Signature

Markus Moeller wrote:

I did post a patch some time ago which does renew credentials when required. Have a look at do_init_krb5_cache in http://netjoin.sf.net/nss_ldap-253-keytab.patch

Markus

"Howard Wilkinson" <howard [at] cohtech.com> wrote in message 11810353.post@talk.nabble.com">news:11810353.post@talk.nabble.com...
I posted a modification to the nss_ldap code (against 252) to allow daemons to use central Credential Caches - this is a basic access check. This patch works fine but whenever the credentials are renewed then the daemon using them needs to be restarted. What I would like to do is to add a facility whereby the LDAP connection is abandoned and reconnected whenever the mtime on the file changes (Hence the credentials have been refreshed). The hook would seem to be the do_open procedure in ldap-nss.c. However, calling stat on the file everytime this procedure is entered will kill the system (performance will be awful) - so ideally we should decode the credentials cache and find out when the ticket expires when we actually do the bind. This then needs to be saved in the session structure and checked to see if the ticket has expired. Anybody know what code I need to call to do this?

I looked at your patch and it seems to do what I want just about. It is quite elegant, I especially like the ability to optionally feed in a keytab or allow the outside world to do the keytab to cache operations for you.

However, I do have a couple of points

you automatically renew the credentials if the cache should have expired rather than checking to see if somebody else has renewed them for you.
you do not use the cache file settings in quite the same way that they are used elsewhere (this means that if the calling user does not have access to the configured cache file but does have access to the environment passed one or the default then you will not use the correct cache.
You do not detect the root user and use the alternate SASL id.

I will fix the second and third items for our environment and post out a new patch. But do you see any reason not to check the on disc cache first before issuing a renew ourselves?

Howard.

Howard Wilkinson	Phone:	+44(20)76907075
Coherent Technology Limited	Fax:
23 Northampton Square,	Mobile:	+44(7980)639379
United Kingdom, EC1V 0HL	Email:	howard [at] cohtech.com

[nssldap] Daemon use of Kerberos with credentials renewal, Howard Wilkinson
- [nssldap] Re: Daemon use of Kerberos with credentials renewal, Markus Moeller
  - Re: [nssldap] Re: Daemon use of Kerberos with credentials renewal, Howard Wilkinson
- Re: [nssldap] Daemon use of Kerberos with credentials renewal, Markus Moeller

Prev by Date: Re: [nssldap] Daemon use of Kerberos with credentials renewal
Next by Date: [nssldap] Re: Re: Daemon use of Kerberos with credentials renewal
Previous by thread: [nssldap] Re: Daemon use of Kerberos with credentials renewal
Next by thread: [nssldap] Re: Re: Daemon use of Kerberos with credentials renewal