[Freeipa-devel] Notes on server to server sasl
Simo Sorce
ssorce at redhat.com
Fri Oct 31 15:16:42 UTC 2008
On Fri, 2008-10-31 at 08:51 -0600, Rich Megginson wrote:
> Simo Sorce wrote:
> > 1. if the connections are long lived you could decide to always acquire
> > a new TGT before try to establish a connection.
> >
> I decided to take this approach. The connections are relatively long
> lived and infrequently acquired.
Just one thing. Depending on kerberos libraries, if you run paste the
credential expiration the connection may be dropped. I assume that is
not a problem as a connection may always be dropped for whatever reason
and I assume DS already have code to handle the situation in these
cases.
> > 2. if connections are frequent, you might decide to check before a
> > connection if credentials are still valid and renew if not.
> >
> Is there a way to do this without actually attempting to authenticate?
> I've tried the validation functions, but I get an error from the KDC to
> the effect of "validation is not permitted".
The credential cache contains the expiration date of the credentials,
you should be able to check without contacting the KDC (and we do not
want to contact the KDC at all, unless we need to acquire a ticket).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list