[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: KTH support for openldap
On Thu, 30 Sep 1999, Kurt D. Zeilenga wrote:
> At 04:01 PM 9/30/99 -0700, Booker Bense wrote:
> >[ My horror at the suggested use of AFS krb libraries deleted]
> >> All true. I wouldn't suggest supporting the use of AFS Kerberos
> >> libraries. AFAIK, UMich LDAP 3.3 didn't support the use of AFS
> >> Kerberos libraries. What it did do, is support an alternate
> >> string-to-key function in ud. I don't think that's terribly hard to
> >> support, since the string-to-key function is already in the ud code.
> >- This is one place ( among many ) where KTH gets it spot on.
> >It automagically works whether you're using afs_string_to_key
> >or des_string_to_key.
> >
> >- Everything has compiled out of the box except ud and the
> >back-ldbm. The common problem between them is that
> >
> > ac/unistd.h
> >
> >includes /usr/include/crypt.h.
>
> Needed to get the crypt(3) prototype on some systems. We
> currently just test for the existence of the header. Looks
> like we should look for specifically for the the prototype
> and only include <crypt.h> as needed.
- I'm not sure that will help. On my box ( Solaris 2.5.1 )
crypt.h defines des_encrypt as
extern void des_encrypt(char *, int);
- KTH des.h defines it as
void DES_LIB_FUNCTION des_encrypt(DES_LONG *data,des_key_schedule ks,
int enc);
- If you put an #ifndef HAVE_KTH_KERBEROS around the whole thing
it works just fine as the des.h in KTH has the crypt prototype.
Or am I not understanding what you're suggesting ?
>
> >This causes a prototype clash
> >for the des_encrypt function. Ud requires another simple fix
> >to allow it to use krb_get_pw_in_tkt rather than krb_get_in_tkt.
> >
> >- I have #ifdef HAVE_KTH_KERBEROS code that fixes both problems,
> >but I don't have a test to set HAVE_KTH_KERBEROS. There is at least
> >one include file that looks like it would be a pretty good flag
> >that you have KTH kerberos:
> >
> > krb-archaeology.h
>
> We could easily add AC_CHECK_HEADERS( krb-archaelogoy.h ) and
> use the result to set HAVE_KTH_KERBEROS if there are no
> better flags (such as Kth specific #define).
>
- I'll ask the authors if there's a better solution.
> I assume Kth uses the relies on the k4 detection checks
> being positive. We might want to add --with-kerberos=kth
> to require successful Kth detection.
- Yes, In my testing I just ran configure --with-kerberos=k4.
The autodecting didn't work, but that may be because my environment
is so wierd. I have 5 different versions of "kerberos" in various
directories on my machine.
>
> >- Anyway, let me know how you'd like to deal with this.
>
> I would think adding the Kth specific support would be quite
> appropriate. I'd happy to work with you on integrating whatever
> changes you have to offer.
>
- I guess I wasn't too clear. I meant to ask whether you wanted
me to email you patches and in what format. The changes are pretty
trivial. I've attached cvs diff -u patches to ud/auth.c and
ac/unistd.h to this message. They have a bogus #define
HAVE_KTH_KERBEROS in them.
- Booker C. Bense
-P.S. The more I think about it, it seems to me that if you had
all kerberos versions use krb_get_pw_in_tkt then you could use
the same source for all and dump the HAVE_AFS flag. That flag
is only used in one place, ud/auth.c. It's a hack to allow you
to get a ticket from an AFS K4 server with an unaltered MIT K4
library. I guess it was useful at Umich, but it seems very odd
to me that you would have AFS and not a K4 library that handles
this for you. SOP in the afs world is that you use MIT K4 libraries
with a hacked in string_to_key, so you don't have to put this code
in every app that wants to get a tgt.
? Makefile
? version.c
? .libs
? ud.patch
Index: auth.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/clients/ud/auth.c,v
retrieving revision 1.22
diff -u -r1.22 auth.c
--- auth.c 1999/09/08 17:06:25 1.22
+++ auth.c 1999/10/01 00:43:48
@@ -37,6 +37,7 @@
static char tktpath[20]; /* ticket file path */
static int kinit();
static int valid_tgt();
+#define HAVE_KTH_KERBEROS
#endif
static void set_bound_dn(char *s);
@@ -335,6 +336,10 @@
static char *kauth_name;
/*ARGSUSED*/
+
+#ifdef HAVE_KTH_KERBEROS
+
+#else
int
krbgetpass( char *user, char *inst, char *realm, char *pw, C_Block key )
{
@@ -365,6 +370,7 @@
return( 0 );
}
+#endif
static int
kinit( char *kname )
@@ -388,9 +394,15 @@
ldap_pvt_str2upper( realm );
#endif /* HAVE_AFS_KERBEROS */
+
+#ifdef HAVE_KTH_KERBEROS
+ /* Kth kerberos knows how to do both string to keys */
+ rc = krb_get_pw_in_tkt(name,inst,realm,TGT,realm,DEFAULT_TKT_LIFE,0 ) ;
+
+#else
rc = krb_get_in_tkt( name, inst, realm, TGT, realm,
DEFAULT_TKT_LIFE, krbgetpass, NULL, NULL );
-
+#endif
if ( rc != KSUCCESS ) {
switch ( rc ) {
case SKDC_CANT:
? unistd.patch
Index: unistd.h
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/include/ac/unistd.h,v
retrieving revision 1.18
diff -u -r1.18 unistd.h
--- unistd.h 1999/08/30 06:08:00 1.18
+++ unistd.h 1999/10/01 00:45:01
@@ -21,12 +21,15 @@
# include <unistd.h>
#endif
+#define HAVE_KTH_KERBEROS
+#ifndef HAVE_KTH_KERBEROS
/* crypt() may be defined in a separate include file */
#if HAVE_CRYPT_H
# include <crypt.h>
#else
extern char *(crypt)();
#endif
+#endif
#ifndef HAVE_GETPASS
LDAP_F(char*)(getpass) LDAP_P((const char *getpass));