On 19 Jun 2008, at 19:17, Dominic Hargreaves wrote:
I'm using a web single signon system (umich's cosign) that can
retrieve
a kerberos ticket for a user. As far as I can tell there isn't a
way to
specify a credential cache with Authen::SASL::Cyrus (or is there?).
If you're using cosign, you want to use CosignKerberosSetupGss On
I'll explain why below...
I've just hit this same problem getting our mod_perl application to
use
a credcache as specified by
PerlSetEnv KRB5CCNAME
The application ends up trying to use root's KRB5CCNAME instead (as
the
server is started as root).
Was this problem ever solved before? I can't see any way round this
currently.
The problem is that the first time a process calls into MIT's GSSAPI
library, it caches the current KRB5CCNAME variable. Later changes to
that variable won't be noticed by the library, unless the process
calls gss_krb5_ccache_name() to register the new name of the
credentials cache. I'm not sure if anything currently provides perl
bindings for this function.
It's this magic that cosign performs when you set CosignKerberosSetupGss
S.
