trouble with Authen::SASL::Cyrus, GSSAPI, and mod_perl

[prev] [thread] [next] [Date index for 2005/03/22]

[ Disclaimer: I'm new to mod_perl, but fairly comfortable with perl. ]

Has anyone successfully used this combination?

I've written a number of scripts that use the Authen::SASL::Cyrus xs
module (this module extends Authen::SASL, linking to libsasl and thereby
gaining access to the authentication mechanisms supported by libsasl).  

Using Authen::SASL::Cyrus allows me to easily write scripts that can do
SASL/GSSAPI authentication to various services (LDAP and IMAP, for
instance).  It would be appealing to use this module under mod_perl for
many reasons (not the least of which is performance).

These scripts can be readily ported to run with apache mod_cgi but they
run into trouble when running under mod_perl.  The heart of the matter
is that the Cyrus SASL library (libsasl) and the underlying
kerberos5/GSSAPI library derive the location of the user's credentials
(i.e. their kerberos ticket) from one of two places: the value of the
environment variable KRB5CCNAME or /tmp/krb5cc_$UIDNUMBER.

A bit of background, I have a single sign on system (an apache module)
that can get a kerberos ticket for an authenticated user, populating the
value of the KRB5CCNAME environment variable with the location of the
kerberos ticket.

In a nutshell, when I run my script as a CGI it forks (and finds the
value of $ENV{KRB5CCNAME}) and is able to do GSSAPI authentication to an
LDAP server as $ENV{REMOTE_USER} using the ticket in $ENV{KRB5CCNAME}.
But the same script under ModPerl::Registry fails because apache's not
using the credential cache specified in $ENV{KRB5CCNAME}; it's trying to
use the default credential cache for the apache user.

Is there a way to configure mod_perl such that when a script/handler
runs it always uses the run time value of $ENV{KRB5CCNAME}?

Using subprocess_env doesn't seem to be the solution since I'm not
dealing with a spawned sub process, the whole reason I'd like to use
mod_perl in this context is to get away from that model.

Suggestions or advice would be very much appreciated.

Ben