Date: Thu, 12 Oct 2006 14:30:36 GMT From: Michael Bushkov <bushman@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 107762 for review Message-ID: <200610121430.k9CEUaR8090078@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=107762 Change 107762 by bushman@bushman_nss_ldap_cached on 2006/10/12 14:30:24 + support for krb5_ccname added (requires proper testing) Affected files ... .. //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconf.h#12 edit .. //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconn.c#12 edit .. //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconn.h#13 edit Differences ... ==== //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconf.h#12 (text+ko) ==== ==== //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconn.c#12 (text+ko) ==== @@ -927,6 +927,10 @@ struct nss_ldap_configuration *conf, struct nss_ldap_connection_error *err) { +#ifdef NSS_LDAP_USE_KRB5_CCNAME + char tempbuf[256]; + char *ccname, *ccfile, *old_ccname; +#endif char *pw, *dn, *err_str; int rv; @@ -946,7 +950,7 @@ (void *)&err_str) != LDAP_SUCCESS) err_str = NULL; snprintf(err->description, NSS_LDAP_MAX_ERR_DESC_SIZE, - "ldap_sasl_interactive_bind_s() error: %s; %s\n", + "ldap_get_option() error: %s; %s\n", ldap_err2string(err->err_num), err_str == NULL ? "" : err_str); @@ -955,9 +959,55 @@ return (NSS_LDAP_CONNECTION_ERROR); } } + +#ifdef NSS_LDAP_USE_KRB5_CCNAME + ccname = __nss_ldap_conf->krb5_ccname; + if (ccname != NULL) { + /* + * If krb5_ccname points to a file, we should check it is exists - + * this idea was suggested by Howard Wilkinson. This check, for + * example, allows the caching daemon to use the specified + * credentials cache, whenever all other unpriviledged applications + * will use their own credentials cache. + */ + if ((strncasecmp(ccname, "FILE:", sizeof("FILE:") - 1) == 0) + || (strncasecmp(ccname, "WRFILE:", sizeof("WRFILE:") - 1) + == 0)) { + char *ccfile; + ccfile = strchr(ccname, ':') + 1; + if (access(ccfile, R_OK) != 0) { + __nss_ldap_log(NSS_LDAP_LL_DEBUG_INT, + "ccache file (%s) is inaccessible, " + "krb5_ccname is \"%s\"", ccname); + ccname = NULL; + } + } + + if (ccname != NULL) { + old_ccname = getenv("KRB5CCNAME"); + strncpy(tempbuf, old_ccname, sizeof(old_tempbuf) - 1); + + if (setenv("KRB5CCNAME", + __nss_ldap_conf->krb5_ccname, 1) != 0) { + ccname = NULL; + __nss_ldap_log(NSS_LDAP_LL_WARN, + "setenv(\"KRB5CCNAME\", ...) failed"); + } + } + } +#endif /* NSS_LDAP_USE_KRB5_CCNAME */ rv = ldap_sasl_interactive_bind_s(conn->ld, dn, "GSSAPI", NULL, NULL, LDAP_SASL_QUIET, nss_ldap_sasl_interact, pw); + +#ifdef NSS_LDAP_USE_KRB5_CCNAME + if (ccname != NULL) + if (setenv("KRB5CCNAME", tempbuf, 1) != 0) + __nss_ldap_log(NSS_LDAP_LL_WARN, + "setenv(\"KRB5CCNAME\", ...) failed while restoring " + "original value"); +#endif /* NSS_LDAP_USE_KRB5_CCNAME */ + if (rv != LDAP_SUCCESS) { err->err_num = rv; if (ldap_get_option(conn->ld, LDAP_OPT_ERROR_STRING, ==== //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconn.h#13 (text+ko) ====
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610121430.k9CEUaR8090078>