Kerberos ticket revalidated in Multi mode
Hello,
when using AuthKerberos mode in AuthMutli, and trying to search authenticated user in several AD (so using UserDBMutli), the Kerberos ticket is revalidated and it fails (seems Kerberos has a replay protection):
[Thu Mar 08 17:09:15.642852 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Multi (type 0): trying extractFormInfo for module Kerberos
[Thu Mar 08 17:09:15.642883 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Kerberos ticket received: YIIIQQYGKwYBBQUCoIIINTCCCDGgMDAuBgkqhkiC9x...
[Thu Mar 08 17:09:15.642996 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Set KRB5_KTNAME env to FILE:/etc/lemonldap-ng/auth.keytab
[Thu Mar 08 17:09:15.656337 2018] [perl:debug] [pid 15128] /usr/share/perl5/vendor_perl/Lemonldap/NG/Common/CGI.pm 305:
[Thu Mar 08 17:09:15.656369 2018] [perl:notice] [pid 15128] Lemonldap::NG : USER@EXAMPLE.COM authentified by Kerberos
...
[Thu Mar 08 17:09:15.693201 2018] [perl:debug] [pid 15128] /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/_Multi.pm 92:
[Thu Mar 08 17:09:15.693230 2018] [perl:info] [pid 15128] Retriving user with AD#1 failed, trying next
[Thu Mar 08 17:09:15.693254 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Replay all methods until sub getUser
[Thu Mar 08 17:09:15.693287 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: processing to sub authInit
[Thu Mar 08 17:09:15.693340 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Evaluate expression: 1
[Thu Mar 08 17:09:15.693390 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Evaluation result: 1
[Thu Mar 08 17:09:15.693411 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Multi (type 0): trying authInit for module Kerberos
[Thu Mar 08 17:09:15.693429 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: processing to sub extractFormInfo
[Thu Mar 08 17:09:15.693470 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Evaluate expression: 1
[Thu Mar 08 17:09:15.693497 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Evaluation result: 1
[Thu Mar 08 17:09:15.693513 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Multi (type 0): trying extractFormInfo for module Kerberos
[Thu Mar 08 17:09:15.693544 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Kerberos ticket received: YIIIQQYGKwYBBQUCoIIINTCCCDGgMDAuB....
[Thu Mar 08 17:09:15.693582 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Set KRB5_KTNAME env to FILE:/etc/lemonldap-ng/auth.keytab
[Thu Mar 08 17:09:15.693961 2018] [perl:debug] [pid 15128] /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/AuthKerberos.pm 98:
[Thu Mar 08 17:09:15.693982 2018] [perl:error] [pid 15128] Unable to accept security context
I think we should check in extractFormInfo if Kerberos User was already found, and in this case do not try to revalidate ticket.