[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Serialize krb5_creds

On Wed, 24 Oct 2007 15:25:48 -0700
"Zeqing (Fred) Xia" <fxia@juniper.net> wrote:

> Hi,
> I have a need to share krb5_creds among multiple processes. File cache is not an option. So I'm thinking about serialize/deserialize krb5_creds data structure. Something like this:
> In one process:
>     char* blob = krb5_serialize_creds(&creds, int* size);
>     int r = write(socket_fd, blob, size);
> In another process:
>     int len = read(socket_fd, buf, maxsz);
>     r = krb5_deserialize_creds(&creds, buf, len);
> etc.
> I wonder if something similar has already been implemented in Kerberos API. I looked around and could not find any readily usable, although similar code exists for read/write ops on a file cache.

Hi Fred,

You might want to look at kcm in heimdal.

Otherwise, alternative credential cache storage has been discussed
at great length, most recently on the kerberos mailing list. The
credential cache API is supposed to be suitable for creating alternative
implementations. I believe it was generally agreed that an mmap based
implementation with child processes inheriting the descriptor used with
mmap would be suitable for many of these scenarios where you don't want
to use a file cache. You might consider doing something like that. If
your processes are not related (meaning they cannot inherit the mmap
file descriptor) then you'll have to use kcm or create daemon of your own.


Michael B Allen
PHP Active Directory SPNEGO SSO