GSS implementation in ldap_child

With this patch, ldap_child is able to obtain kerberos ticket via GSS API instead of using kerberos library. The patch uses environment variable GSS_USE_PROXY to decide whether to use GSS API or kerberos libraries. If this variable is set to any value, GSS API is used. Note that this variable is used by GSS libraries too. Setting this variable to "yes" causes the GSS library to communicate with GSS proxy and therefore GSS proxy must be configured in advance to accept SSSD requests. By setting this variable to (for example) "no" ldap_child still uses the GSS API to get the kerberos ticket, but it is done directly - without communicating with GSS proxy. In such case ldap_child still needs permission to access keytab (i. e. must run as privileged user). If the variable is unset, ldap_child works the old way.
SSSD · Feb 2, 2023 · 4b28152 · 4b28152
1 parent 6a2de71
commit 4b28152
Show file tree

Hide file tree

Showing 7 changed files with 728 additions and 45 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -700,6 +700,7 @@ dist_noinst_HEADERS = \
     src/util/sss_python.h \
     src/util/sss_regexp.h \
     src/util/sss_krb5.h \
+    src/util/sss_gss.h \
     src/util/sss_selinux.h \
     src/util/sss_sockets.h \
     src/util/sss_utf8.h \
@@ -4560,6 +4561,7 @@ ldap_child_SOURCES = \
     src/providers/ldap/ldap_child.c \
     src/providers/krb5/krb5_keytab.c \
     src/util/sss_krb5.c \
+    src/util/sss_gss.c \
     src/util/sss_iobuf.c \
     src/util/atomic_io.c \
     src/util/memory.c \
@@ -4574,13 +4576,15 @@ ldap_child_SOURCES = \
 ldap_child_CFLAGS = \
     $(AM_CFLAGS) \
     $(POPT_CFLAGS) \
-    $(KRB5_CFLAGS)
+    $(KRB5_CFLAGS) \
+    $(GSSAPI_KRB5_CFLAGS)
 ldap_child_LDADD = \
     libsss_debug.la \
     $(TALLOC_LIBS) \
     $(POPT_LIBS) \
     $(DHASH_LIBS) \
-    $(KRB5_LIBS)
+    $(KRB5_LIBS) \
+    $(GSSAPI_KRB5_LIBS)
 
 if BUILD_SEMANAGE
 selinux_child_SOURCES = \