Re: [PATCH] GSSAPI credentials

From: Howard Chu (no email)
Date: Tue May 11 2010 - 12:53:35 EDT

  • Next message: Alexey Melnikov: "Re: [PATCH] GSSAPI credentials"

    Alexey Melnikov wrote:
    > Howard Chu wrote:
    >
    >> Alexey Melnikov wrote:
    >>
    >>> Howard Chu wrote:
    >>>
    >>>> This patch implements the SASL_GSS_CREDS property, which was defined
    >>>> in sasl.h back in 2005.
    >>>>
    >>>> http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&searchterm=sasl_gss_creds&msg=7600
    >>>>
    >>>>
    >>>>
    >>>> Applications need this functionality to make use of Kerberos
    >>>> Services4User features.
    >>>>
    >>>> http://k5wiki.kerberos.org/wiki/Projects/Services4User
    >>>>
    >>>> Setting the credential in the SASL client will allow it to use an
    >>>> S4U2Proxy credential, among other things.
    >>>>
    >>>> Additional patches will still be needed to allow a SASL server to take
    >>>> advantage of this feature, as mentioned in my previous email. But this
    >>>> is a small first step just to get the ball rolling.
    >>>
    >>> Hi Howard,
    >>> This looks fine, but let me ask some questions on your patch:

    >>> What about updating sasl_getprop() to match?
    >>
    >> Sure. I didn't think it was too important since the calling app is the
    >> only thing that can set it, it must already have it.
    >
    > Let's make everything symmetrical, if it is easy. Pretty much all props
    > that can be set are also retrievable with sasl_getprop().

    OK. Assuming you only meant to retrieve the previously-set cred, this patch
    will do. If you mean to retrieve whatever cred got used, including e.g. what
    the server obtained through gss_acquire_cred() that gets a bit trickier; need
    to worry about who disposes of it and such.

    >>>> Index: plugins/gssapi.c
    >>>> ===================================================================
    >>>> RCS file: /cvs/src/sasl/plugins/gssapi.c,v
    >>>> retrieving revision 1.109
    >>>> diff -u -r1.109 gssapi.c
    >>>> --- plugins/gssapi.c 24 Feb 2010 22:41:18 -0000 1.109
    >>>> +++ plugins/gssapi.c 10 May 2010 08:04:24 -0000
    >>>> @@ -657,6 +657,7 @@
    >>>> OM_uint32 max_input;
    >>>> gss_buffer_desc name_token;
    >>>> int ret, out_flags = 0 ;
    >>>> + gss_cred_id_t server_creds = params->gss_creds;
    >>>
    >>> GSS_C_NO_CREDENTIAL is defined as "((gss_cred_id_t) 0)" in RFC 2744, so
    >>> no extra initialization is needed.
    >>
    >> This is not simply initialization, it's retrieving the value that a
    >> caller set, if any.
    >
    > I was talking about the case when the application doesn't set anything.
    > I think the plugin should work as before your change. I think it does, I
    > was mostly talking aloud to convince myself that that was the case.

    OK. Yes, no extra init is needed.

    >>> Have you compiled this change against both MIT and Heimdal?
    >>
    >> Yes, using MIT Kerb 1.8.1 and Heimdal 1.2.1. (Not the latest Heimdal I
    >> know, but I don't think this is particularly version dependent.)
    >
    > Ok, great. That is good enough.

    -- 
       -- Howard Chu
       CTO, Symas Corp.           http://www.symas.com
       Director, Highland Sun     http://highlandsun.com/hyc/
       Chief Architect, OpenLDAP  http://www.openldap.org/project/
    
    



  • Next message: Alexey Melnikov: "Re: [PATCH] GSSAPI credentials"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD