[Fedora-directory-devel] Please review: Bug 469261 - Support server-to-server SASL - better kerberos improvements

[Rich Megginson]

https://bugzilla.redhat.com/show_bug.cgi?id=469261
Resolves: bug 469261
Bug Description: Support server-to-server SASL - kerberos improvements
Reviewed by: ???
Files: see diff
Branch: HEAD
Fix Description: I made several improvements to the kerberos code at
Simo's suggestion
First look for the principal in the ccache.  If not found, use the
username if it does not look like a DN.  If still not found, construct a
principal using the krb5_sname_to_principal() function to construct
"ldap/fqdn at REALM".
Next, see if the credentials for this principal are still valid.  In
order to grab the credentials from the ccache, I needed to construct the
server principal, which in this case is the TGS service principal (e.g.
krbtgt/REALM at REALM).  If the credentials are present and not expired,
then the code assumes they are ok and does not acquire new credentials.
If the credentials are expired or not found, the code will then use the
keytab to authenticate.
Based on more feedback from Simo, I made some additional changes:
* Go ahead and reacquire the creds if they have expired or will expire 
in 30 seconds - this is not configurable but could be made to be - 30 
seconds should be long enough so that the credentials will not expire by 
the time they are actually used deep in the ldap/sasl/gssapi/krb code, 
and short enough so that this won't cause unnecessary credential churn
* Retry the bind in the case of Ticket expired.  There is no way that I 
can see to get the actual error code - fortunately the extended ldap 
error message has this information
Platforms tested: Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
https://bugzilla.redhat.com/attachment.cgi?id=322914&action=diff