Credential Cache for multiple client principal names
Rick van Rein
rick at openfortress.nl
Wed Jun 29 12:05:30 EDT 2016
Hello,
Thanks Simo!
> DIR or KEYRING should be equivalent for your purpose, they are both
> cache collections.
Good, I seem to be onto something then :)
>> Can you help me, or perhaps show me some examples that do this?
>
> Have you looked in kinit/kvno/gssapi code ?
Thanks! I found that kinit has another instrument, where it has one
cache, but supportive of krb5_cc_support_switch() so I could use
krb5_cc_cache_match() instead of the iteration over a cache collection,
and krb5_cc_new_unique() to add a new identity.
The kinit approach sounds lighter-weight, though I'm not yet clear if it
will let me work on any but the current cache, which could be
problematic since my TLS Pool is multi-threaded, to handle multiple TLS
connections for multiple users.
Any hints on that are welcome of course :)
> If you set up two realms in two separate DNS domains and then kinit to
> two different principals, you can see how kvno or any gssapi application
> will work to store tickets in the caches to access services in the two
> realms.
Hmm, I tried that with kinit and it was confusing me -- but that might
be because its sole purpose is to initiate a cache. I will try kvno as
well then, good hint :)
Best wishes,
-Rick
More information about the krbdev
mailing list