[Fedora-directory-devel] Please review: Bug 469261 - Support server-to-server SASL - kerberos improvements
Rich Megginson
rmeggins at redhat.com
Thu Nov 6 21:45:22 UTC 2008
https://bugzilla.redhat.com/show_bug.cgi?id=469261
Resolves: bug 469261
Bug Description: Support server-to-server SASL - kerberos improvements
Reviewed by: ???
Files: see diff
Branch: HEAD
Fix Description: I made several improvements to the kerberos code at
Simo's suggestion
First look for the principal in the ccache. If not found, use the
username if it does not look like a DN. If still not found, construct a
principal using the krb5_sname_to_principal() function to construct
"ldap/fqdn at REALM".
Next, see if the credentials for this principal are still valid. In
order to grab the credentials from the ccache, I needed to construct the
server principal, which in this case is the TGS service principal (e.g.
krbtgt/REALM at REALM). If the credentials are present and not expired,
then the code assumes they are ok and does not acquire new credentials.
If the credentials are expired or not found, the code will then use the
keytab to authenticate.
Platforms tested: Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
https://bugzilla.redhat.com/attachment.cgi?id=322788&action=diff
More information about the 389-devel
mailing list