Testing use of krb5 and gssapi in PostgreSQL?
Michael Stahl
mst at libreoffice.org
Wed Oct 16 08:43:00 UTC 2019
On 16.10.19 08:46, Stephan Bergmann wrote:
> On 14/10/2019 13:33, Lionel Élie Mamane wrote:
>> On Mon, Oct 14, 2019 at 11:05:32AM +0200, Stephan Bergmann wrote:
>>> The only use of WITH_KRB5 and WITH_GSSAPI in LO appears to be the
>>> PostgreSQL
>>> support (see connectivity/Library_postgresql-sdbc-impl.mk and
>>> external/postgresql/ExternalProject_postgresql.mk). Is there some
>>> documentation how to test whether the use of krb5 and gssapi in the
>>> PostgreSQL support actually works?
>>
>> Try to connect to a PostgreSQL support with GSSAPI and Kerberos?
>
> For the record: Found a PostgreSQL server inside RH that I could access
> with my RH Kerberos credentials. What I tested was "File - New -
> Database", then on the wizard's first "Select database" page "Connect to
> an existing database: PostgreSQL", on the second "Connection settings"
> page specify "host=... port=5433 dbname=public sslmode=require", and on
> the third "Set up user authentication" page leave everything blank and
> click "Test Connection". This worked with a local Linux LO build,
> announcing a successful test of the connection.
>
> For both the current LO 6.3.2 Flathub build against
> org.freedesktop.Sdk//18.08 (where krb5 is included in the runtime), as
> well as for a local LO 6.3.2 Flatpak build of
> <https://github.com/flathub/org.libreoffice.LibreOffice/pull/104>
> "Freedesktop19.08" (against org.freedesktop.Sdk//19.08, where krb5 is no
> longer included in the runtime, but where I bundle it with LO), it
> worked as follows:
>
> The test failed to access my Kerberos ticket from outside the Flatpak
> sandbox (the connection test reporting an error ending in "GSSAPI
> continuation error: No Kerberos credentials available (default cache:
> FILE:/tmp/krb5cc_1000)"). But it worked when I explicitly obtained a
> ticket inside the sandbox first (`flatpak run --command=bash
> org.libreoffice.LibreOffice`, then in the sandbox `kinit ... &&
> /app/libreoffice/program/soffice`).
guess FILE and DIR credential cache won't work out of the box, err i
mean inside the (sand-)box, but there's another one the KEYRING which
stores it in the Linux kernel - i wonder if that is available inside the
sandbox? might be a question for people who actually know something
about kerberos :)
https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
on the other hand it's a very obscure feature probably, maybe not worth
investing any effort in it...
More information about the LibreOffice
mailing list