[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KRB5 context is not updated when starting a new Apache session(using mod_auth_kerb)

On Wed, 30 May 2007 10:10:25 +0300
"gil ran" <gilrun@gmail.com> wrote:

> Hi.
> I am using a Linux-From-Scratch based Linux, with OpenLdap-2.3.27,
> Heimdal-0.7.2, Apache-httpd-2.2.4, mod_auth_kerb-5.3 and php-5.2.1.
> I'm trying to use OpenLDAP (over Heimdal GSSAPI with KRB5) from
> mod_php under Apache (using php's ldap_sasl_bind with GSSAPI as
> mechanism - it calls lsap_sasl_interactive_bind_s). Apache is
> configured to re-use processes for handling multiple sessions
> (mpm_workers_module with MaxRequestsPerChild of 0). The first time my
> code runs inside any given httpd process it works OK. After that it
> always fails with credentials error, which points to non-existing
> credentials file from the previous time.
> After some digging I discovered that the problem is due to KRB5CCNAME
> evironment variable changes. When a process is re-used by Apache, it
> first invokes mob_auth_kerb which authenticates and sets KRB5CCNAME
> environment variable. The problem is that GSSAPI already has an
> existing KRB5 context (from the previous time) which already has
> default_cc_name. KRB5 does not re-read the environment variable and
> stays with incorrect credentials file name.
> It looks as if GSSAPI is not designed to be invoked from process
> handling multiple sessions, because it does not have either of:
> 1) A way to re-initialize the default credentials file if the
> environment changes
> What would be the proper solution for this?

Hi Gil,

I believe this has been fixed in 0.8. But here is the thread that
discusses the problem:


If you want to use 0.7 I recommend that you get 0.8 and look at the
changes specific to the problem and craft a new patch.


Michael B Allen
PHP Active Directory Kerberos SSO