From owner-p4-projects@FreeBSD.ORG  Thu Oct 12 14:31:47 2006
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 9D28016A4D4; Thu, 12 Oct 2006 14:31:47 +0000 (UTC)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5EA9B16A4C2
	for <perforce@freebsd.org>; Thu, 12 Oct 2006 14:31:47 +0000 (UTC)
	(envelope-from bushman@freebsd.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CC61C43D4C
	for <perforce@freebsd.org>; Thu, 12 Oct 2006 14:30:36 +0000 (GMT)
	(envelope-from bushman@freebsd.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k9CEUaLw090082
	for <perforce@freebsd.org>; Thu, 12 Oct 2006 14:30:36 GMT
	(envelope-from bushman@freebsd.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k9CEUaR8090078
	for perforce@freebsd.org; Thu, 12 Oct 2006 14:30:36 GMT
	(envelope-from bushman@freebsd.org)
Date: Thu, 12 Oct 2006 14:30:36 GMT
Message-Id: <200610121430.k9CEUaR8090078@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bushman@freebsd.org using -f
From: Michael Bushkov <bushman@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 107762 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2006 14:31:47 -0000

http://perforce.freebsd.org/chv.cgi?CH=107762

Change 107762 by bushman@bushman_nss_ldap_cached on 2006/10/12 14:30:24

	+ support for krb5_ccname added (requires proper testing)

Affected files ...

.. //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconf.h#12 edit
.. //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconn.c#12 edit
.. //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconn.h#13 edit

Differences ...

==== //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconf.h#12 (text+ko) ====


==== //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconn.c#12 (text+ko) ====

@@ -927,6 +927,10 @@
 	struct nss_ldap_configuration *conf, 
 	struct nss_ldap_connection_error *err)
 {
+#ifdef NSS_LDAP_USE_KRB5_CCNAME
+	char tempbuf[256];
+	char *ccname, *ccfile, *old_ccname;
+#endif
 	char *pw, *dn, *err_str;
 	int rv;
 	
@@ -946,7 +950,7 @@
 			    (void *)&err_str) != LDAP_SUCCESS)
 			    err_str = NULL;
 			snprintf(err->description, NSS_LDAP_MAX_ERR_DESC_SIZE,
-			    "ldap_sasl_interactive_bind_s() error: %s; %s\n",
+			    "ldap_get_option() error: %s; %s\n",
 			    ldap_err2string(err->err_num), 
 			    err_str == NULL ? "" : err_str);			
 
@@ -955,9 +959,55 @@
 			return (NSS_LDAP_CONNECTION_ERROR);
 		}
 	}
+
+#ifdef NSS_LDAP_USE_KRB5_CCNAME
+	ccname = __nss_ldap_conf->krb5_ccname;
+	if (ccname != NULL) {
+	    /*
+	     * If krb5_ccname points to a file, we should check it is exists - 
+	     * this idea was suggested by Howard Wilkinson. This check, for
+	     * example, allows the caching daemon to use the specified 
+	     * credentials cache, whenever all other unpriviledged applications
+	     * will use their own credentials cache.
+	     */
+	    if ((strncasecmp(ccname, "FILE:", sizeof("FILE:") - 1) == 0) 
+		|| (strncasecmp(ccname, "WRFILE:", sizeof("WRFILE:") - 1) 
+	    	== 0)) { 
+		    char *ccfile;
+		    ccfile = strchr(ccname, ':') + 1; 
+		    if (access(ccfile, R_OK) != 0) {
+			__nss_ldap_log(NSS_LDAP_LL_DEBUG_INT,
+			    "ccache file (%s) is inaccessible, "
+			    "krb5_ccname is \"%s\"", ccname);
+			ccname = NULL; 
+		    }
+	    }
+	    
+	    if (ccname != NULL) {
+		old_ccname = getenv("KRB5CCNAME");
+		strncpy(tempbuf, old_ccname, sizeof(old_tempbuf) - 1);
+		
+		if (setenv("KRB5CCNAME", 
+		    __nss_ldap_conf->krb5_ccname, 1) != 0) {
+		    ccname = NULL;
+		    __nss_ldap_log(NSS_LDAP_LL_WARN,
+			"setenv(\"KRB5CCNAME\", ...) failed");
+		}
+	    }
+	}
+#endif /* NSS_LDAP_USE_KRB5_CCNAME */
 	
 	rv = ldap_sasl_interactive_bind_s(conn->ld, dn, "GSSAPI", NULL, NULL,
 		LDAP_SASL_QUIET, nss_ldap_sasl_interact, pw);
+	
+#ifdef NSS_LDAP_USE_KRB5_CCNAME
+	if (ccname != NULL)
+	    if (setenv("KRB5CCNAME", tempbuf, 1) != 0)
+		__nss_ldap_log(NSS_LDAP_LL_WARN,
+		    "setenv(\"KRB5CCNAME\", ...) failed while restoring "
+	    	    "original value");		    
+#endif /* NSS_LDAP_USE_KRB5_CCNAME */
+	
 	if (rv != LDAP_SUCCESS) {
 		err->err_num = rv;		
 		if (ldap_get_option(conn->ld, LDAP_OPT_ERROR_STRING,

==== //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconn.h#13 (text+ko) ====