KRB5 context is not updated when starting a new Apache session
(using mod_auth_kerb)
Hai Zaar
haizaar at gmail.com
Wed May 30 04:51:16 EDT 2007
On 5/30/07, Guus Leeuw jr. <guus.leeuw at guusleeuwit.com> wrote:
> Hi,
>
> looking at OpenLDAP and KRB5, the question really boils down to:
> Why do you want to rebind through OpenLDAP in case mod_auth_kerb has already
> got the ticket in the first place?
Well, for example, if I build LDAP web interface, I want to use user's
credentials that I've got from the web browser to browse ldap server.
>
> OpenLDAP's ldapsearch has an option -Y GSSAPI which acts pretty much like -x,
> but uses the kerberos ticket that is already there. Normally you'd do
> something similar in PHP (and extend PHP in case something similar is not
> available). From the top of my head, I don't think that OpenLDAP is re-binding
> in the case of -Y GSSAPI, so they must call something similar that,
> presumably, is available in the LDAP API. I'm not sure how standard -Y GSSAPI
> is, though.
Its not on LDAP layer. From what we've saw, the problem is on GSSAPI layer.
>
> Ultimately, using Kerberos, you'd want your user to log in *once* and make
> sure that LDAP can re-use the ticket. Why else bother with kerberos based
> authentication in the first place ;)
>
> On another note, did you look at PHP's LDAP Connection caching, making sure
> that that doesn't screw up the bill?
We've added many printouts to related functions in PHP source code,
and the call sequence is similar. Again, neither LDAP, nore SASL are
not aware of kerberos at all. The problem is that when you clean
GSSAPI context, default credentials location of underlying krb5
context is not cleaned (and keeps to point to file which will not
exist on next session).
--
Zaar
More information about the Cyrus-sasl
mailing list