On 05/08/2013 03:05 AM, Bernardo Pastorelli wrote: > I read about using the DIR cache or setting environment variables to use > different caches, one for each user. But I was wondering if it is possible to > avoid all of this, and simply not have a cache, but maintain all the tickets > in memory. > The idea is to create the tickets using the kerberos APIs, not storing them > in cache but simply keeping them in my process memory. And then pass these > tickets to the ldap functions to connect to the ldap server.
This should be possible using memory ccaches, though I'm not aware of any sample code. The outline would be: 1. Create a krb5_context with krb5_init_context 2. Create a memory ccache with krb5_cc_new_unique (with type "MEMORY" and hint NULL) 3. Fetch tickets into the ccache. - The old way is to do krb5_get_init_creds_password and then krb5_cc_store_cred. - The new way (requires MIT krb5 1.8+) is to create a krb5_get_init_creds_opt structure with krb5_get_init_creds_opt_alloc, then call krb5_get_init_creds_opt_set_out_ccache with the ccache handle, then call krb5_get_init_creds_password. The new way allows the library to write config values into the cache such as "the KDC supports FAST," but it's not critical to making things work. 4. Acquire GSSAPI creds from the ccache - The old way is to call gss_krb5_ccache_name before the gss_acquire_cred call, to set a thread-specific global variable. - The new way (requires MIT krb5 1.9+) is to use gss_krb5_import_cred. 5. At this point we're at step (b) in Nico's instructions for using the DIR ccache. Call ldap_int_sasl_set_option with LDAP_OPT_X_SASL_GSS_CREDS as Nico suggested in his response, and then call ldap_sasl_bind_s. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
