[ Hope this isn't too off topic for this list... ]
At long last the most recent versions of Authen::SASL::Cyrus seem
to work properly (allowing me to write scripts that do GSSAPI
authenticated binds when connecting to an LDAP server).
But I'm having a bit of trouble in trying to get Authen::SASL::Cyrus to
work *usefully* with GSSAPI while running under mod_perl.
The problem is that when mod_perl compiles the script (as the apache
user) it calls out to libsasl and libgssapi_krb5 (et al) and consquently
embeds the credential cache location, specified in $ENV{KRB5CCNAME}, in
the compiled script.
In other words the compiled script always looks for the kerberos
credential cache in the apache user's $ENV{KRB5CCNAME}. This would be
OK if my web application wasn't trying to authenticate to LDAP using
credentials *other* than those in the apache user's $ENV{KRB5CCNAME}.
I'm using a web single signon system (umich's cosign) that can retrieve
a kerberos ticket for a user. As far as I can tell there isn't a way to
specify a credential cache with Authen::SASL::Cyrus (or is there?).
Has anyone had some experience with this sort of issue?
Ben
