On Thu, Jun 19, 2008 at 08:27:26PM +0100, Simon Wilkinson wrote: > > On 19 Jun 2008, at 19:17, Dominic Hargreaves wrote: > > > >>I'm using a web single signon system (umich's cosign) that can > >>retrieve > >>a kerberos ticket for a user. As far as I can tell there isn't a > >>way to > >>specify a credential cache with Authen::SASL::Cyrus (or is there?). > > If you're using cosign, you want to use CosignKerberosSetupGss On > I'll explain why below...
I'm not using cosign. I'm maintaining some creds with k5start so that our mod_perl application can authenticate to an LDAP server with GSSAPI. > The problem is that the first time a process calls into MIT's GSSAPI > library, it caches the current KRB5CCNAME variable. Later changes to > that variable won't be noticed by the library, unless the process > calls gss_krb5_ccache_name() to register the new name of the > credentials cache. I'm not sure if anything currently provides perl > bindings for this function. Thanks for the info. Am I doing anything particularly bizzare here? How do other people maintain krb5 credentials for the benefit of mod_perl webapps? It's not going to be practical to change the app from being mod_perl - on the other hand we can *probably* get away with setting KRB5CCNAME in the environment of the initial Apache process, which is a fairly nasty hack, but ought to do. Thanks, Dominic. -- Dominic Hargreaves, Systems Development and Support Team Computing Services, University of Oxford
