diff -Nru nss_ldap-253/ldap.conf nss_ldap-253.new/ldap.conf --- nss_ldap-253/ldap.conf 2006-09-13 01:42:08.000000000 -0500 +++ nss_ldap-253.new/ldap.conf 2006-11-12 20:44:08.653693184 -0600 @@ -308,6 +308,9 @@ # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0 -# Override the default Kerberos ticket cache location. +# Override the default Kerberos ticket cache location for all users. #krb5_ccname FILE:/etc/.ldapcache - +# Override the default Kerberos ticket cache location for root. +#root_krb5_ccname FILE:/etc/.ldapcache-root +# Override the default Kerberos ticket cache location for non-root users. +#user_krb5_ccname FILE:/etc/.ldapcache-user diff -Nru nss_ldap-253/ldap-nss.c nss_ldap-253.new/ldap-nss.c --- nss_ldap-253/ldap-nss.c 2006-09-13 01:42:08.000000000 -0500 +++ nss_ldap-253.new/ldap-nss.c 2006-11-08 23:13:03.362734000 -0600 @@ -1814,7 +1814,7 @@ char tmpbuf[256]; static char envbuf[256]; # endif - char *ccname; + char *ccname = NULL; const char *oldccname = NULL; int retval; # endif /* CONFIGURE_KRB5_CCNAME */ @@ -1837,6 +1837,17 @@ if (__config->ldc_krb5_ccname != NULL) { ccname = __config->ldc_krb5_ccname; + } + else if (geteuid () == 0 && __config->ldc_root_krb5_ccname != NULL) + { + ccname = __config->ldc_root_krb5_ccname; + } + else if (geteuid () != 0 && __config->ldc_user_krb5_ccname != NULL) + { + ccname = __config->ldc_user_krb5_ccname; + } + if (ccname != NULL) + { # ifdef CONFIGURE_KRB5_CCNAME_ENV oldccname = getenv ("KRB5CCNAME"); if (oldccname != NULL) diff -Nru nss_ldap-253/ldap-nss.h nss_ldap-253.new/ldap-nss.h --- nss_ldap-253/ldap-nss.h 2006-09-13 01:42:08.000000000 -0500 +++ nss_ldap-253.new/ldap-nss.h 2006-11-08 22:59:16.837385000 -0600 @@ -361,8 +361,13 @@ int ldc_debug; int ldc_pagesize; #ifdef CONFIGURE_KRB5_CCNAME - /* krb5 ccache name */ + /* krb5 ccache name for all users */ + /* only used if the next two items are unused */ char *ldc_krb5_ccname; + /* krb5 ccache name for root */ + char *ldc_root_krb5_ccname; + /* krb5 ccache name for non-root */ + char *ldc_user_krb5_ccname; #endif /* CONFIGURE_KRB5_CCNAME */ /* * attribute/objectclass maps relative to this config diff -Nru nss_ldap-253/nss_ldap.5 nss_ldap-253.new/nss_ldap.5 --- nss_ldap-253/nss_ldap.5 2006-09-13 01:42:08.000000000 -0500 +++ nss_ldap-253.new/nss_ldap.5 2006-11-12 20:44:30.841320152 -0600 @@ -341,6 +341,20 @@ is built with configurable GSS-API credentials cache name support, specifies the Kerberos credentials cache to use. .TP +.B root_krb5_ccname +If +.B nss_ldap +is built with configurable GSS-API credentials cache name support, +specifies the Kerberos credentials cache to use when the effective user +ID is zero. +.TP +.B user_krb5_ccname +If +.B nss_ldap +is built with configurable GSS-API credentials cache name support, +specifies the Kerberos credentials cache to use when the effective user +ID is nonzero. +.TP .B nss_paged_results .BR Enables support for paged results. diff -Nru nss_ldap-253/util.c nss_ldap-253.new/util.c --- nss_ldap-253/util.c 2006-09-13 01:42:08.000000000 -0500 +++ nss_ldap-253.new/util.c 2006-11-08 23:00:04.108198000 -0600 @@ -647,6 +647,8 @@ result->ldc_pagesize = LDAP_PAGESIZE; #ifdef CONFIGURE_KRB5_CCNAME result->ldc_krb5_ccname = NULL; + result->ldc_root_krb5_ccname = NULL; + result->ldc_user_krb5_ccname = NULL; #endif /* CONFIGURE_KRB5_CCNAME */ result->ldc_flags = 0; #ifdef RFC2307BIS @@ -1035,6 +1037,14 @@ { t = &result->ldc_krb5_ccname; } + else if (!strcasecmp (k, NSS_LDAP_KEY_ROOT_KRB5_CCNAME)) + { + t = &result->ldc_root_krb5_ccname; + } + else if (!strcasecmp (k, NSS_LDAP_KEY_USER_KRB5_CCNAME)) + { + t = &result->ldc_user_krb5_ccname; + } #endif /* CONFIGURE_KRB5_CCNAME */ else if (!strcasecmp (k, "tls_checkpeer")) { diff -Nru nss_ldap-253/util.h nss_ldap-253.new/util.h --- nss_ldap-253/util.h 2006-09-13 01:42:08.000000000 -0500 +++ nss_ldap-253.new/util.h 2006-11-08 23:13:04.768520000 -0600 @@ -77,6 +77,8 @@ #define NSS_LDAP_KEY_SASL_SECPROPS "sasl_secprops" #ifdef CONFIGURE_KRB5_CCNAME #define NSS_LDAP_KEY_KRB5_CCNAME "krb5_ccname" +#define NSS_LDAP_KEY_ROOT_KRB5_CCNAME "root_krb5_ccname" +#define NSS_LDAP_KEY_USER_KRB5_CCNAME "user_krb5_ccname" #endif /* CONFIGURE_KRB5_CCNAME */ #define NSS_LDAP_KEY_LOGDIR "logdir" #define NSS_LDAP_KEY_DEBUG "debug"