On Fri, 3 Nov 2006 21:12:38 -0500 Stephen Frost <[EMAIL PROTECTED]> wrote:
> In general I like this idea but I'm not sure about its implementation. > It strikes me as rather excessive to attempt multiple binds in this > way and to cause that extra load on the server. Also, it may hide I do agree this is probably not the best way to go about this, but does it really cause that much extra load? It seems like the client would find out rather quickly that it's cache cannot be used. A more ideal solution in my mind is to have two distinct configuraton directives (e.g. krb5_ccname and rootkrb5_ccname to go along with the other directives) for root accesses and user ones. I'm not really experienced with libnss-ldap code, or even LDAP/KRB code in general, so I didn't want to accidentally break stuff ;). > other real problems beyond permissions on the ccache. How about just > attempting to open the modified ccache? If you can't open then it's > not very likely to work and you can switch to the unmodified one. I thought of this, but it would involve parsing the cache string, and actually determine if it's a file cache. I don't really know what else ccache can contain... what else besides FILE: can one encounter? If the cache is not FILE:, or if it is but accessible, and GSSAPI auth fails anyway, wouldn't we want to still try the old ccache anyway? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]