PERFORCE change 107762 for review

Thu Oct 12 07:31:47 PDT 2006

http://perforce.freebsd.org/chv.cgi?CH=107762

Change 107762 by bushman at bushman_nss_ldap_cached on 2006/10/12 14:30:24

	+ support for krb5_ccname added (requires proper testing)

Affected files ...

.. //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconf.h#12 edit
.. //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconn.c#12 edit
.. //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconn.h#13 edit

Differences ...

==== //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconf.h#12 (text+ko) ====


==== //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconn.c#12 (text+ko) ====

@@ -927,6 +927,10 @@
 	struct nss_ldap_configuration *conf, 
 	struct nss_ldap_connection_error *err)
 {
+#ifdef NSS_LDAP_USE_KRB5_CCNAME
+	char tempbuf[256];
+	char *ccname, *ccfile, *old_ccname;
+#endif
 	char *pw, *dn, *err_str;
 	int rv;
 	
@@ -946,7 +950,7 @@
 			    (void *)&err_str) != LDAP_SUCCESS)
 			    err_str = NULL;
 			snprintf(err->description, NSS_LDAP_MAX_ERR_DESC_SIZE,
-			    "ldap_sasl_interactive_bind_s() error: %s; %s\n",
+			    "ldap_get_option() error: %s; %s\n",
 			    ldap_err2string(err->err_num), 
 			    err_str == NULL ? "" : err_str);			
 
@@ -955,9 +959,55 @@
 			return (NSS_LDAP_CONNECTION_ERROR);
 		}
 	}
+
+#ifdef NSS_LDAP_USE_KRB5_CCNAME
+	ccname = __nss_ldap_conf->krb5_ccname;
+	if (ccname != NULL) {
+	    /*
+	     * If krb5_ccname points to a file, we should check it is exists - 
+	     * this idea was suggested by Howard Wilkinson. This check, for
+	     * example, allows the caching daemon to use the specified 
+	     * credentials cache, whenever all other unpriviledged applications
+	     * will use their own credentials cache.
+	     */
+	    if ((strncasecmp(ccname, "FILE:", sizeof("FILE:") - 1) == 0) 
+		|| (strncasecmp(ccname, "WRFILE:", sizeof("WRFILE:") - 1) 
+	    	== 0)) { 
+		    char *ccfile;
+		    ccfile = strchr(ccname, ':') + 1; 
+		    if (access(ccfile, R_OK) != 0) {
+			__nss_ldap_log(NSS_LDAP_LL_DEBUG_INT,
+			    "ccache file (%s) is inaccessible, "
+			    "krb5_ccname is \"%s\"", ccname);
+			ccname = NULL; 
+		    }
+	    }
+	    
+	    if (ccname != NULL) {
+		old_ccname = getenv("KRB5CCNAME");
+		strncpy(tempbuf, old_ccname, sizeof(old_tempbuf) - 1);
+		
+		if (setenv("KRB5CCNAME", 
+		    __nss_ldap_conf->krb5_ccname, 1) != 0) {
+		    ccname = NULL;
+		    __nss_ldap_log(NSS_LDAP_LL_WARN,
+			"setenv(\"KRB5CCNAME\", ...) failed");
+		}
+	    }
+	}
+#endif /* NSS_LDAP_USE_KRB5_CCNAME */
 	
 	rv = ldap_sasl_interactive_bind_s(conn->ld, dn, "GSSAPI", NULL, NULL,
 		LDAP_SASL_QUIET, nss_ldap_sasl_interact, pw);
+	
+#ifdef NSS_LDAP_USE_KRB5_CCNAME
+	if (ccname != NULL)
+	    if (setenv("KRB5CCNAME", tempbuf, 1) != 0)
+		__nss_ldap_log(NSS_LDAP_LL_WARN,
+		    "setenv(\"KRB5CCNAME\", ...) failed while restoring "
+	    	    "original value");		    
+#endif /* NSS_LDAP_USE_KRB5_CCNAME */
+	
 	if (rv != LDAP_SUCCESS) {
 		err->err_num = rv;		
 		if (ldap_get_option(conn->ld, LDAP_OPT_ERROR_STRING,

==== //depot/projects/soc2006/nss_ldap_cached/src/lib/nss_ldap/ldapconn.h#13 (text+ko) ====

