Re: [modauthkerb] How to use a received forwardable ticket
Brought to you by:
kouril
From: Yves M. <yve...@el...> - 2010-08-11 10:19:33
|
On lun, 2010-08-09 at 18:05 -0700, Russ Allbery wrote: > Andy Cobaugh <pha...@gm...> writes: > > > Only thing that made that work was adding in the call to > > gss_krb5_ccache_name. Other functions like ldap_* seemed to want the > > same thing. At this point we use cosign everywhere for applications that > > want kerberos tickets, and cosign does properly call > > gss_krb5_ccache_name (I think that's how I figured out what > > mod_auth_kerb was missing). > > > However, if you're writing a CGI that just calls out the userland > > commands, having KRB5CCNAME set in your environment is enough, but for > > languages like PHP, and probably others, that link against things like > > libldap and libc-client, adding in gss_krb5_ccache_name was the only way > > I could make this work. > > Okay, this makes more sense. The difference is not real GSSAPI > applications versus some other type, but rather that I bet mod_php is not > exporting the KRB5CCNAME environment variable at the correct time, or LDAP > connections are being cached, or something else is causing the GSSAPI > context to be established during a time when KRB5CCNAME isn't set. Thank you for your answers and details about native code behind PHP. I have also found documentation about ticket saving by mod_auth_kerb and where forwarded TGT is available: http://modauthkerb.sourceforge.net/configure-4.x.html#saving My code will be a PHP curl call to another kerberos enabled system (Java, simili web service) and my idea is to use the following php_krb5 module: http://mbechler.eenterphace.org/blog/index.php?/archives/11-php_krb5-rc2.html to append the authentication HTTP request header with TGS to the curl request. Regards -- Yves Martin |