[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: KTH support for openldap

On Thu, 30 Sep 1999, Kurt D. Zeilenga wrote:

> At 04:01 PM 9/30/99 -0700, Booker Bense wrote:
> >[ My horror at the suggested use of AFS krb libraries deleted]
> >> All true.  I wouldn't suggest supporting the use of AFS Kerberos
> >> libraries.  AFAIK, UMich LDAP 3.3 didn't support the use of AFS
> >> Kerberos libraries.  What it did do, is support an alternate
> >> string-to-key function in ud.  I don't think that's terribly hard to
> >> support, since the string-to-key function is already in the ud code.
> >- This is one place ( among many ) where KTH gets it spot on. 
> >It automagically works whether you're using afs_string_to_key
> >or des_string_to_key. 
> >
> >- Everything has compiled out of the box except ud and the
> >back-ldbm. The common problem between them is that 
> >
> >	ac/unistd.h 
> >
> >includes  /usr/include/crypt.h.
> Needed to get the crypt(3) prototype on some systems.  We
> currently just test for the existence of the header.  Looks
> like we should look for specifically for the the prototype
> and only include <crypt.h> as needed.

- I'm not sure that will help. On my box ( Solaris 2.5.1 ) 
crypt.h defines des_encrypt as 

extern void des_encrypt(char *, int);

- KTH des.h defines it as 

void DES_LIB_FUNCTION des_encrypt(DES_LONG *data,des_key_schedule ks,
int enc);

- If you put an #ifndef HAVE_KTH_KERBEROS around the whole thing
it works just fine as the des.h in KTH has the crypt prototype. 
Or am I not understanding what you're suggesting ? 

> >This causes a prototype clash
> >for the des_encrypt function. Ud requires another simple fix 
> >to allow it to use krb_get_pw_in_tkt rather than krb_get_in_tkt. 
> >
> >- I have #ifdef HAVE_KTH_KERBEROS code that fixes both problems,
> >but I don't have a test to set HAVE_KTH_KERBEROS. There is at least
> >one include file that looks like it would be a pretty good flag
> >that you have KTH kerberos:
> >
> >	krb-archaeology.h
> We could easily add AC_CHECK_HEADERS( krb-archaelogoy.h ) and
> use the result to set HAVE_KTH_KERBEROS if there are no
> better flags (such as Kth specific #define).

- I'll ask the authors if there's a better solution. 

> I assume Kth uses the relies on the k4 detection checks
> being positive.  We might want to add --with-kerberos=kth
> to require successful Kth detection.

- Yes, In my testing I just ran configure --with-kerberos=k4. 
The autodecting didn't work, but that may be because my environment
is so wierd. I have 5 different versions of "kerberos" in various
directories on my machine. 

> >- Anyway, let me know how you'd like to deal with this.
> I would think adding the Kth specific support would be quite
> appropriate.  I'd happy to work with you on integrating whatever
> changes you have to offer.

- I guess I wasn't too clear. I meant to ask whether you wanted
me to email you patches and in what format. The changes are pretty
trivial. I've attached cvs diff -u patches to ud/auth.c and
ac/unistd.h to this message. They have a bogus #define

- Booker C. Bense

-P.S. The more I think about it, it seems to me that if you had
all kerberos versions use krb_get_pw_in_tkt then you could use
the same source for all and dump the HAVE_AFS flag. That flag
is only used in one place, ud/auth.c. It's a hack to allow you
to get a ticket from an AFS K4 server with an unaltered MIT K4
library. I guess it was useful at Umich, but it seems very odd
to me that you would have AFS and not a K4 library that handles
this for you. SOP in the afs world is that you use MIT K4 libraries
with a hacked in string_to_key, so you don't have to put this code
in every app that wants to get a tgt.   
? Makefile
? version.c
? .libs
? ud.patch
Index: auth.c
RCS file: /repo/OpenLDAP/pkg/ldap/clients/ud/auth.c,v
retrieving revision 1.22
diff -u -r1.22 auth.c
--- auth.c	1999/09/08 17:06:25	1.22
+++ auth.c	1999/10/01 00:43:48
@@ -37,6 +37,7 @@
 static char tktpath[20];	/* ticket file path */
 static int kinit();
 static int valid_tgt();
 static void set_bound_dn(char *s);
@@ -335,6 +336,10 @@
 static char *kauth_name;
 krbgetpass( char *user, char *inst, char *realm, char *pw, C_Block key )
@@ -365,6 +370,7 @@
 	return( 0 );
 static int
 kinit( char *kname )
@@ -388,9 +394,15 @@
 	ldap_pvt_str2upper( realm );
 #endif /* HAVE_AFS_KERBEROS */
+	/* Kth kerberos knows how to do both string to keys */ 
+	rc = krb_get_pw_in_tkt(name,inst,realm,TGT,realm,DEFAULT_TKT_LIFE,0 ) ;
 	rc = krb_get_in_tkt( name, inst, realm, TGT, realm,
 	    DEFAULT_TKT_LIFE, krbgetpass, NULL, NULL );
 	if ( rc != KSUCCESS ) {
 		switch ( rc ) {
 		case SKDC_CANT:
? unistd.patch
Index: unistd.h
RCS file: /repo/OpenLDAP/pkg/ldap/include/ac/unistd.h,v
retrieving revision 1.18
diff -u -r1.18 unistd.h
--- unistd.h	1999/08/30 06:08:00	1.18
+++ unistd.h	1999/10/01 00:45:01
@@ -21,12 +21,15 @@
 #	include <unistd.h>
 /* crypt() may be defined in a separate include file */
 #	include <crypt.h>
 	extern char *(crypt)();
 LDAP_F(char*)(getpass) LDAP_P((const char *getpass));