* Andrew Deason ([EMAIL PROTECTED]) wrote: > Suppose I want to use krb5_ccname and SASL, so I can have a host > authenticate with its host principal from a keytab. However, I don't want > normal users to be able to read the host principal keytab; I just want > libnss-ldap to use their own kerberos credentials. If I specify krb5_ccname > in /etc/libnss-ldap.conf, and the file is not readable to the user, it just > fails. This patch makes libnss-ldap attempt to try authenticating again with > the unchanged ccache if the modified ccache fails for whatever reason. It > appears to work on a test machine. (I.e. it falls back to user credentials if > the krb5_ccname credentials fail.)
In general I like this idea but I'm not sure about its implementation.
It strikes me as rather excessive to attempt multiple binds in this way
and to cause that extra load on the server. Also, it may hide other
real problems beyond permissions on the ccache. How about just
attempting to open the modified ccache? If you can't open then it's not
very likely to work and you can switch to the unmodified one.
Thanks!
Stephen
signature.asc
Description: Digital signature
