[prev in list] [next in list] [prev in thread] [next in thread]
List: nssldap
Subject: [nssldap] Re: Re: Daemon use of Kerberos with credentials renewal
From: "Markus Moeller" <huaraz () moeller ! plus ! com>
Date: 2007-07-27 18:36:12
Message-ID: f8ddv1$4t4$1 () sea ! gmane ! org
[Download RAW message or body]
SignatureI didn't say the patch was perfect ;-).
To point 1) I was really intending to use a memory cache only used by nscd ( but I \
think I didn't understand good enough when nscd is used and when not). If it is a \
file cache then a mtime check may make sense (Is it because of performance concerns \
you prefer this over just renewing the cache ?) BTW a mtime check may not mean the \
cache has been sucessfully updated or ?
To point 2) Yes I added some code as a fallback to use the users own credential \
cache. If you disagree with that, thats OK.
To point 3) Not sure why that is needed. Can you explain.
BTW I still need to do memory cleanup checks (e.g. a couple krb5_xx_free) !!
Regards
Markus
"Howard Wilkinson" <howard@cohtech.com> wrote in message \
news:46A9ADB9.5030301@cohtech.com... Markus Moeller wrote:
I did post a patch some time ago which does renew credentials when required. Have \
a look at do_init_krb5_cache in http://netjoin.sf.net/nss_ldap-253-keytab.patch
Markus
"Howard Wilkinson" <howard@cohtech.com> wrote in message \
news:11810353.post@talk.nabble.com... I posted a modification to the nss_ldap code \
(against 252) to allow daemons to use central Credential Caches - this is a basic \
access check. This patch works fine but whenever the credentials are renewed then the \
daemon using them needs to be restarted. What I would like to do is to add a facility \
whereby the LDAP connection is abandoned and reconnected whenever the mtime on the \
file changes (Hence the credentials have been refreshed). The hook would seem to be \
the do_open procedure in ldap-nss.c. However, calling stat on the file everytime this \
procedure is entered will kill the system (performance will be awful) - so ideally we \
should decode the credentials cache and find out when the ticket expires when we \
actually do the bind. This then needs to be saved in the session structure and \
checked to see if the ticket has expired. Anybody know what code I need to call to do \
this?
--------------------------------------------------------------------------
View this message in context: Daemon use of Kerberos with credentials renewal
Sent from the NSS LDAP mailing list archive at Nabble.com.
I looked at your patch and it seems to do what I want just about. It is quite \
elegant, I especially like the ability to optionally feed in a keytab or allow the \
outside world to do the keytab to cache operations for you.
However, I do have a couple of points
1.. you automatically renew the credentials if the cache should have expired \
rather than checking to see if somebody else has renewed them for you. 2.. you do \
not use the cache file settings in quite the same way that they are used elsewhere \
(this means that if the calling user does not have access to the configured cache \
file but does have access to the environment passed one or the default then you will \
not use the correct cache. 3.. You do not detect the root user and use the \
alternate SASL id. I will fix the second and third items for our environment and \
post out a new patch. But do you see any reason not to check the on disc cache first \
before issuing a renew ourselves?
Howard.
--
Howard Wilkinson
Phone:
+44(20)76907075
Coherent Technology Limited
Fax:
23 Northampton Square,
Mobile:
+44(7980)639379
United Kingdom, EC1V 0HL
Email:
howard@cohtech.com
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Signature</TITLE>
<META http-equiv=Content-Type content=text/html;charset=ISO-8859-1>
<META content="MSHTML 6.00.6000.16481" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV><FONT face=Arial size=2>I didn't say the patch was perfect ;-).
</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>To point 1) I was really intending to use a
memory cache only used by nscd ( but I think I didn't understand good enough
when nscd is used and when not). </FONT><FONT face=Arial size=2>If
it is a file cache then a mtime check may make sense (Is it because of
performance concerns you prefer this over just renewing the cache ?) BTW a mtime
check may not mean the cache has been sucessfully updated or ?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>To point 2) Yes I added some code as a fallback to
use the users own credential cache. If you disagree with that, thats
OK.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>To point 3) Not sure why that is needed. Can you
explain.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>BTW I still need to do memory cleanup checks
(e.g. a couple krb5_xx_free) !!</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Regards</FONT></DIV>
<DIV><FONT face=Arial size=2>Markus</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>"Howard Wilkinson" <<A
href="mailto:howard@cohtech.com">howard@cohtech.com</A>> wrote in message <A
href="news:46A9ADB9.5030301@cohtech.com">news:46A9ADB9.5030301@cohtech.com</A>...</DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 \
2px solid; MARGIN-RIGHT: 0px">Markus Moeller wrote:
<BLOCKQUOTE cite=midf8aqrd$9an$1@sea.gmane.org type="cite">
<META content="MSHTML 6.00.6000.16481" name=GENERATOR>
<STYLE></STYLE>
<DIV><FONT face=Arial size=2> </FONT>
<DIV><FONT face=Arial size=2>I did post a patch some time ago which does
renew credentials when required. Have a look at do_init_krb5_cache in
</FONT><A href="http://netjoin.sf.net/nss_ldap-253-keytab.patch"><FONT
face=Arial
size=2>http://netjoin.sf.net/nss_ldap-253-keytab.patch</FONT></A></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>Markus</DIV></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: \
rgb(0,0,0) 2px solid; MARGIN-RIGHT: 0px"> <DIV>"Howard Wilkinson" <<A
href="mailto:howard@cohtech.com">howard@cohtech.com</A>> wrote in
message <A
href="news:11810353.post@talk.nabble.com">news:11810353.post@talk.nabble.com</A>...</DIV>I \
posted a modification to the nss_ldap code (against 252) to allow daemons
to use central Credential Caches - this is a basic access check. This
patch works fine but whenever the credentials are renewed then the daemon
using them needs to be restarted. What I would like to do is to add a
facility whereby the LDAP connection is abandoned and reconnected whenever
the mtime on the file changes (Hence the credentials have been refreshed).
The hook would seem to be the do_open procedure in ldap-nss.c. However,
calling stat on the file everytime this procedure is entered will kill the
system (performance will be awful) - so ideally we should decode the
credentials cache and find out when the ticket expires when we actually do
the bind. This then needs to be saved in the session structure and checked
to see if the ticket has expired. Anybody know what code I need to call to
do this? <BR>
<HR align=left width=300>
View this message in context: <A
href="http://www.nabble.com/Daemon-use-of-Kerberos-with-credentials-renewal-tf4151602.html#a11810353">Daemon \
use of Kerberos with credentials renewal</A><BR>Sent from the <A
href="http://www.nabble.com/NSS-LDAP-f14177.html">NSS LDAP mailing list
archive</A> at Nabble.com.<BR></BLOCKQUOTE></BLOCKQUOTE>I looked at your patch
and it seems to do what I want just about. It is quite elegant, I especially
like the ability to optionally feed in a keytab or allow the outside world to
do the keytab to cache operations for you.<BR><BR>However, I do have a couple
of points <BR>
<OL>
<LI> you automatically renew the credentials if the cache should have
expired rather than checking to see if somebody else has renewed them for
you.
<LI>you do not use the cache file settings in quite the same way that they
are used elsewhere (this means that if the calling user does not have access
to the configured cache file but does have access to the environment passed
one or the default then you will not use the correct cache.
<LI>You do not detect the root user and use the alternate SASL id. </LI></OL>I
will fix the second and third items for our environment and post out a new
patch. But do you see any reason not to check the on disc cache first before
issuing a renew ourselves?<BR><BR>Howard.<BR><BR>
<DIV class=moz-signature>-- <BR>
<DIV class=Section1>
<TABLE class=MsoNormalTable style="WIDTH: 100%" cellPadding=0 width="100%"
border=0>
<TBODY>
<TR>
<TD
style="PADDING-RIGHT: 1.5pt; PADDING-LEFT: 1.5pt; PADDING-BOTTOM: 1.5pt; \
PADDING-TOP: 1.5pt" vAlign=top>
<P class=MsoNormal>Howard Wilkinson</P></TD>
<TD
style="PADDING-RIGHT: 1.5pt; PADDING-LEFT: 1.5pt; PADDING-BOTTOM: 1.5pt; \
PADDING-TOP: 1.5pt" vAlign=top>
<P class=MsoNormal>Phone:</P></TD>
<TD
style="PADDING-RIGHT: 1.5pt; PADDING-LEFT: 1.5pt; PADDING-BOTTOM: 1.5pt; \
PADDING-TOP: 1.5pt" vAlign=top>
<P class=MsoNormal>+44(20)76907075</P></TD></TR>
<TR>
<TD
style="PADDING-RIGHT: 1.5pt; PADDING-LEFT: 1.5pt; PADDING-BOTTOM: 1.5pt; \
PADDING-TOP: 1.5pt" vAlign=top>
<P class=MsoNormal>Coherent Technology Limited</P></TD>
<TD
style="PADDING-RIGHT: 1.5pt; PADDING-LEFT: 1.5pt; PADDING-BOTTOM: 1.5pt; \
PADDING-TOP: 1.5pt" vAlign=top>
<P class=MsoNormal>Fax:</P></TD>
<TD
style="PADDING-RIGHT: 1.5pt; PADDING-LEFT: 1.5pt; PADDING-BOTTOM: 1.5pt; \
PADDING-TOP: 1.5pt" vAlign=top>
<P class=MsoNormal> </P></TD></TR>
<TR>
<TD
style="PADDING-RIGHT: 1.5pt; PADDING-LEFT: 1.5pt; PADDING-BOTTOM: 1.5pt; \
PADDING-TOP: 1.5pt" vAlign=top>
<P class=MsoNormal>23 Northampton Square,</P></TD>
<TD
style="PADDING-RIGHT: 1.5pt; PADDING-LEFT: 1.5pt; PADDING-BOTTOM: 1.5pt; \
PADDING-TOP: 1.5pt" vAlign=top>
<P class=MsoNormal>Mobile:</P></TD>
<TD
style="PADDING-RIGHT: 1.5pt; PADDING-LEFT: 1.5pt; PADDING-BOTTOM: 1.5pt; \
PADDING-TOP: 1.5pt" vAlign=top>
<P class=MsoNormal>+44(7980)639379</P></TD></TR>
<TR>
<TD
style="PADDING-RIGHT: 1.5pt; PADDING-LEFT: 1.5pt; PADDING-BOTTOM: 1.5pt; \
PADDING-TOP: 1.5pt" vAlign=top>
<P class=MsoNormal>United Kingdom, EC1V 0HL</P></TD>
<TD
style="PADDING-RIGHT: 1.5pt; PADDING-LEFT: 1.5pt; PADDING-BOTTOM: 1.5pt; \
PADDING-TOP: 1.5pt" vAlign=top>
<P class=MsoNormal>Email:</P></TD>
<TD
style="PADDING-RIGHT: 1.5pt; PADDING-LEFT: 1.5pt; PADDING-BOTTOM: 1.5pt; \
PADDING-TOP: 1.5pt" vAlign=top>
<P class=MsoNormal><A name=howardcohtech.com></A><A
class=moz-txt-link-abbreviated
href="mailto:howard@cohtech.com">howard@cohtech.com</A></P></TD></TR></TBODY></TABLE>
<P class=MsoNormal> </P></DIV></DIV></BLOCKQUOTE></BODY></HTML>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic