[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KRB5 context is not updated when starting a new Apache session(using mod_auth_kerb)

To: heimdal-discuss@sics.se
Subject: Re: KRB5 context is not updated when starting a new Apache session(using mod_auth_kerb)
From: Michael B Allen <mba2000@ioplex.com>
Date: Wed, 30 May 2007 12:25:59 -0400
Cc: "gil ran" <gilrun@gmail.com>
In-Reply-To: <5444df320705300010l13ae6668k2835a5e1c43381c4@mail.gmail.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <5444df320705300010l13ae6668k2835a5e1c43381c4@mail.gmail.com>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <mba2000@ioplex.com>

On Wed, 30 May 2007 10:10:25 +0300
"gil ran" <gilrun@gmail.com> wrote:

> Hi.
> 
> I am using a Linux-From-Scratch based Linux, with OpenLdap-2.3.27,
> Heimdal-0.7.2, Apache-httpd-2.2.4, mod_auth_kerb-5.3 and php-5.2.1.
> 
> I'm trying to use OpenLDAP (over Heimdal GSSAPI with KRB5) from
> mod_php under Apache (using php's ldap_sasl_bind with GSSAPI as
> mechanism - it calls lsap_sasl_interactive_bind_s). Apache is
> configured to re-use processes for handling multiple sessions
> (mpm_workers_module with MaxRequestsPerChild of 0). The first time my
> code runs inside any given httpd process it works OK. After that it
> always fails with credentials error, which points to non-existing
> credentials file from the previous time.
> 
> After some digging I discovered that the problem is due to KRB5CCNAME
> evironment variable changes. When a process is re-used by Apache, it
> first invokes mob_auth_kerb which authenticates and sets KRB5CCNAME
> environment variable. The problem is that GSSAPI already has an
> existing KRB5 context (from the previous time) which already has
> default_cc_name. KRB5 does not re-read the environment variable and
> stays with incorrect credentials file name.
> 
> It looks as if GSSAPI is not designed to be invoked from process
> handling multiple sessions, because it does not have either of:
> 1) A way to re-initialize the default credentials file if the
> environment changes
<snip>
> What would be the proper solution for this?

Hi Gil,

I believe this has been fixed in 0.8. But here is the thread that
discusses the problem:

http://www.mail-archive.com/heimdal-discuss@sics.se/msg00362.html

If you want to use 0.7 I recommend that you get 0.8 and look at the
changes specific to the problem and craft a new patch.

Mike

-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

References:
- KRB5 context is not updated when starting a new Apache session (using mod_auth_kerb)
  - From: "gil ran" <gilrun@gmail.com>

Prev by Date: KRB5 context is not updated when starting a new Apache session (using mod_auth_kerb)
Next by Date: Re: add --rand xxxxxxxx
Prev by thread: KRB5 context is not updated when starting a new Apache session (using mod_auth_kerb)
Next by thread: Different Heimdal/MIT behaviour of krb5_get_credentials ?
Index(es):
- Date
- Thread