[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: GSSAPI and realm lookup hook



I'd agree with what Michael proposed. The current plugin infrastructure is adequate to extend to a plugin for realm lookup. The lookup function prototype Michael suggested 

I think you can get a handle of the krb5_context by setting it up in init function, e.g.:

    krb5_error_code my_lookup_init(krb5_context krb5ctx, void** ctx) {
	  *ctx = krb5ctx;
    }

By the way, because plugin is such a useful feature I'd like to suggest officially publish the API into krb5-protos.h from krb5-private.h.

On another note, I wonder if the DNS lookup plugin function can be extended so that the plugin can not only tell Kerberos the IP but also the protocol to be used for connecting to KDC. Right now the add_locate() function in krbhst.c does not make use of the type parameter, which is also always 0 when the plugin function is invoked. If we can put this parameter into use by accepting protocol enums, e.g. KD_SRV_UDP and KD_SRV_TCP, the application will have a bit more freedom to maneuver.

Thanks a lot.




Fred



-----Original Message-----
From: Michael B Allen [mailto:miallen@ioplex.com] 
Sent: Thursday, December 13, 2007 9:11 PM
To: Love Hörnquist Åstrand
Cc: heimdal-discuss@sics.se; Zeqing (Fred) Xia
Subject: Re: GSSAPI and realm lookup hook

On Thu, 13 Dec 2007 21:28:01 +0100
Love Hörnquist Åstrand <lha@kth.se> wrote:

> Hello Fred, Michael,
> 
> If you propose a plugin interface, I would happly add it to heimdal

Well if you follow your existing plugin technique the below would be
work (I think - I just wrote this free-hand). The only problem I
have with this is that I would like to be able to get to the krb5_context
(e.g. for calling krb5_set_error_string, krb5_getportbyname, etc).

typedef krb5_error_code
(*krb5plugin_service_realm_lookup) (void *,
        const char *targethost,
        int (*)(void *,const char *),
        void *);
    
typedef struct krb5plugin_service_realm_ftable {
    int         minor_version;
    krb5_error_code (*init)(krb5_context, void **);
    void        (*fini)(void *);
    krb5plugin_service_realm_lookup lookup; 
} krb5plugin_service_realm_ftable;

... 
     
static krb5_error_code
my_lookup(void *ctx,
        const char *targethost,
        int (*add)(void *,const char *),
        void *addctx)
{    
    char realm[MAXHOSTNAMELEN];
     
    if (do_some_kind_of_realm_lookup(ctx, targethost, realm, sizeof(realm)) < 0)
        return KRB5_ERR_HOST_REALM_UNKNOWN;
     
    (*add)(addctx, realm); 
     
    return 0;
}    
     
krb5plugin_service_realm_ftable my = {
    0,
    my_init,
    my_fini,
    my_lookup
};   
     
int  
main(int argc, char **argv) 
{    
    ...     
    ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA, "my", &my);
    ...     
} 

> 12 dec 2007 kl. 21.35 skrev Zeqing (Fred) Xia:
> 
> >
> > That's right. I need to add specialized logic to determine the realm  
> > name given a host name. The application will then be able to use its  
> > own logic to influence the decision.
> >
> > Thanks.
> >
> >
> >
> > Fred
> >
> >
> > -----Original Message-----
> > From: Michael B Allen [mailto:miallen@ioplex.com]
> > Sent: Wed 12/12/2007 9:48 AM
> > To: Zeqing (Fred) Xia
> > Cc: heimdal-discuss@sics.se
> > Subject: Re: GSSAPI and realm lookup hook
> >
> > On Wed, 12 Dec 2007 09:22:20 -0800
> > "Zeqing (Fred) Xia" <fxia@juniper.net> wrote:
> >
> >>
> >> Thanks a lot for the info. I was going to patch  
> >> krb5_get_host_realm() in get_host_realm.c.
> >
> > I see. You want the realms for a host, not the hosts for a realm. Yes,
> > get_host_realm.c would be the right place to do that.
> >
> > I've overloaded that myself too but for different reasons no doubt  
> > [1].
> >
> > Mike
> >
> > [1] http://www.stacken.kth.se/lists/heimdal-discuss/2007-03/msg00038.html
> >
> >> -----Original Message-----
> >> From: Michael B Allen [mailto:miallen@ioplex.com]
> >> Sent: Tue 12/11/2007 11:08 PM
> >> To: Zeqing (Fred) Xia
> >> Cc: heimdal-discuss@sics.se
> >> Subject: Re: GSSAPI and realm lookup hook
> >>
> >> On Tue, 11 Dec 2007 18:48:15 -0800
> >> "Zeqing (Fred) Xia" <fxia@juniper.net> wrote:
> >>
> >>> Hi All,
> >>>
> >>> I have a need to do realm lookup with a plugin, because the current
> >>> realm determination logic, other than dns lookup, is not  
> >>> sufficient for
> >>> the scenario I'm dealing with.
> >>
> >> Hi Fred,
> >>
> >> Do you mean that you want to alter how Heimdal resolves servers given
> >> a realm?
> >>
> >> I don't know about the new plugin code but I have found that  
> >> replacing
> >> lib/krb5/krbhst.c:srv_find_realm with my own implementation works
> >> quite well since the data structures involved are isolated and
> >> non-complicated.

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/