diff options
| author | Rich Megginson <rmeggins@redhat.com> | 2008-11-12 17:42:37 +0000 |
|---|---|---|
| committer | Rich Megginson <rmeggins@redhat.com> | 2008-11-12 17:42:37 +0000 |
| commit | f376efb4b33d7c9ba5c99dd487a773f6d1538766 (patch) | |
| tree | 64c6bf3b449351b2141a5788d95d0e6b062ce050 /config.h.in | |
| parent | b9dd50478ad4ad824da670c7f5053e2fecb14613 (diff) | |
| download | ds-f376efb4b33d7c9ba5c99dd487a773f6d1538766.tar.gz ds-f376efb4b33d7c9ba5c99dd487a773f6d1538766.tar.xz ds-f376efb4b33d7c9ba5c99dd487a773f6d1538766.zip | |
Resolves: bug 469261
Bug Description: Support server-to-server SASL - kerberos improvements
Reviewed by: ssorce (Thanks!)
Fix Description: I made several improvements to the kerberos code at
Simo's suggestion
First look for the principal in the ccache. If not found, use the
username if it does not look like a DN. If still not found, construct a
principal using the krb5_sname_to_principal() function to construct
"ldap/fqdn@REALM".
Next, see if the credentials for this principal are still valid. In
order to grab the credentials from the ccache, I needed to construct the
server principal, which in this case is the TGS service principal (e.g.
krbtgt/REALM@REALM). If the credentials are present and not expired,
then the code assumes they are ok and does not acquire new credentials.
If the credentials are expired or not found, the code will then use the
keytab to authenticate.
Based on more feedback from Simo, I made some additional changes:
* Go ahead and reacquire the creds if they have expired or will expire in 30 seconds - this is not configurable but could be made to be - 30 seconds should be long enough so that the credentials will not expire by the time they are actually used deep in the ldap/sasl/gssapi/krb code, and short enough so that this won't cause unnecessary credential churn
* Retry the bind in the case of Ticket expired. There is no way that I can see to get the actual error code - fortunately the extended ldap error message has this information
Platforms tested: Fedora 8, Fedora 9
Flag Day: no
Doc impact: oh yes
Diffstat (limited to 'config.h.in')
| -rw-r--r-- | config.h.in | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/config.h.in b/config.h.in index d3febbb5..e3175ca9 100644 --- a/config.h.in +++ b/config.h.in @@ -84,12 +84,24 @@ /* Define to 1 if you have the `getpagesize' function. */ #undef HAVE_GETPAGESIZE +/* define if you have HEIMDAL Kerberos */ +#undef HAVE_HEIMDAL_KERBEROS + +/* Define to 1 if you have the <heim_err.h> header file. */ +#undef HAVE_HEIM_ERR_H + /* Define to 1 if you have the `inet_ntoa' function. */ #undef HAVE_INET_NTOA /* Define to 1 if you have the <inttypes.h> header file. */ #undef HAVE_INTTYPES_H +/* define if you have Kerberos V */ +#undef HAVE_KRB5 + +/* Define to 1 if you have the `krb5_cc_new_unique' function. */ +#undef HAVE_KRB5_CC_NEW_UNIQUE + /* Define to 1 if you have the `localtime_r' function. */ #undef HAVE_LOCALTIME_R |