Multiple principals in a single application

Greg Hudson ghudson at MIT.EDU
Wed May 8 11:48:36 EDT 2013

On 05/08/2013 03:05 AM, Bernardo Pastorelli wrote:
> I read about using the DIR cache or setting environment variables to use different caches, one for each user. But I was wondering if it is possible to avoid all of this, and simply not have a cache, but maintain all the tickets in memory.
> The idea is to create the tickets using the kerberos APIs, not storing them in cache but simply keeping them in my process memory. And then pass these tickets to the ldap functions to connect to the ldap server.

This should be possible using memory ccaches, though I'm not aware of
any sample code.  The outline would be:

1. Create a krb5_context with krb5_init_context

2. Create a memory ccache with krb5_cc_new_unique (with type "MEMORY"
and hint NULL)

3. Fetch tickets into the ccache.
   - The old way is to do krb5_get_init_creds_password and then
   - The new way (requires MIT krb5 1.8+) is to create a
krb5_get_init_creds_opt structure with krb5_get_init_creds_opt_alloc,
then call krb5_get_init_creds_opt_set_out_ccache with the ccache handle,
then call krb5_get_init_creds_password.
   The new way allows the library to write config values into the cache
such as "the KDC supports FAST," but it's not critical to making things

4. Acquire GSSAPI creds from the ccache
   - The old way is to call gss_krb5_ccache_name before the
gss_acquire_cred call, to set a thread-specific global variable.
   - The new way (requires MIT krb5 1.9+) is to use gss_krb5_import_cred.

5. At this point we're at step (b) in Nico's instructions for using the
DIR ccache.  Call ldap_int_sasl_set_option with
LDAP_OPT_X_SASL_GSS_CREDS as Nico suggested in his response, and then
call ldap_sasl_bind_s.

More information about the Kerberos mailing list