Cache selection logic
berpast at hotmail.com
Thu May 30 09:01:28 EDT 2013
I have a problem related to the logic used for selecting caches.
I have the following scenario: two users defined on Active Directory. One user (Administrator) authorized to view/retrieve all the data. Another user (user1) authorized only to a subset of the data. I use openldap and kerberos to connect to the Active Directory server.
I create two LDAP sessions; in one of them I perform a bind for Administrator, in the other one I perform a bind for user1. In the kerberos cache (type DIR) I see a tgt and an ldap ticket for both Administrator and user1.
Then, using the Administrator's LDAP session, I try searching the Active Directory. This operation fails.
In the kerberos trace I see that the cache selection logic simply searches all the entries in the cache for a valid connection to the LDAP server, independent of the principal establishing it. So it ends up selecting the user1 connection, but user1 is not authorized to query all the data.
Is there any way to let kerberos use the cache of the principal I used during the bind? Why, even if I use the Admninistrator's LDAP session, kerberos ends up using the user1 credentials?
As a solution I'm planning on building a ccselect kerberos plug-in that uses thread local storage to pass information about the principal associated with the thread from my code to the ccselect logic. Any alternative?
I saw ccselect_k5identity but my understanding is that it requires a configuration files, that in my scenario with hundreds of LDAP users seems not practical.
More information about the Kerberos