File: gssapi_delegation.patch

package info (click to toggle)
libapache-mod-auth-kerb 5.4-1
  • links: PTS
  • area: main
  • in suites: squeeze
  • size: 632 kB
  • ctags: 350
  • sloc: ansic: 3,236; makefile: 96; sh: 40
file content (87 lines) | stat: -rw-r--r-- 3,055 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
 
Index: libapache-mod-auth-kerb-5.3/src/mod_auth_kerb.c
===================================================================
--- libapache-mod-auth-kerb-5.3.orig/src/mod_auth_kerb.c	2008-05-08 09:31:40.000000000 +0200
+++ libapache-mod-auth-kerb-5.3/src/mod_auth_kerb.c	2008-05-08 09:37:53.000000000 +0200
@@ -158,6 +158,7 @@
 	const char *krb_service_name;
 	int krb_authoritative;
 	int krb_delegate_basic;
+	int krb_append_realm;
 #if 0
 	int krb_ssl_preauthentication;
 #endif
@@ -214,6 +215,9 @@
    command("KrbDelegateBasic", ap_set_flag_slot, krb_delegate_basic,
      FLAG, "Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive."),
 
+   command("KrbAppendRealm", ap_set_flag_slot, krb_append_realm,
+     FLAG, "Append the realm name when setting $REMOTE_USER."),
+
 #if 0
    command("KrbEnableSSLPreauthentication", ap_set_flag_slot, krb_ssl_preauthentication,
      FLAG, "Don't do Kerberos authentication if the user is already authenticated using SSL and her client certificate."),
@@ -320,6 +324,7 @@
 	((kerb_auth_config *)rec)->krb_service_name = NULL;
 	((kerb_auth_config *)rec)->krb_authoritative = 1;
 	((kerb_auth_config *)rec)->krb_delegate_basic = 0;
+	((kerb_auth_config *)rec)->krb_append_realm = 1;
 #if 0
 	((kerb_auth_config *)rec)->krb_ssl_preauthentication = 0;
 #endif
@@ -519,7 +524,8 @@
    user = apr_pstrdup(r->pool, sent_name);
    if (sent_instance)
       user = apr_pstrcat(r->pool, user, ".", sent_instance, NULL);
-   user = apr_pstrcat(r->pool, user, "@", realm, NULL);
+   if (conf->krb_append_realm)
+      user = apr_pstrcat(r->pool, user, "@", realm, NULL);
 
    MK_USER = user;
    MK_AUTH_TYPE = "Basic";
@@ -1087,6 +1093,9 @@
    MK_AUTH_TYPE = "Basic";
    free(name);
 
+   if (!conf->krb_append_realm && (name = strchr(MK_USER, '@')))
+      *name = '\0';
+
    if (conf->krb_save_credentials)
       store_krb5_creds(kcontext, r, conf, ccache);
 
@@ -1338,6 +1347,8 @@
   gss_OID_desc spnego_oid;
   gss_ctx_id_t context = GSS_C_NO_CONTEXT;
   gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;
+  OM_uint32 tmp_flags;
+  char *name = NULL;
 
   *negotiate_ret_value = "\0";
 
@@ -1406,7 +1417,7 @@
 				  &client_name,
 				  NULL,
 				  &output_token,
-				  NULL,
+				  &tmp_flags,
 				  NULL,
 				  &delegated_cred);
   log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
@@ -1471,6 +1482,9 @@
   MK_AUTH_TYPE = MECH_NEGOTIATE;
   MK_USER = apr_pstrdup(r->pool, output_token.value);
 
+  if (!conf->krb_append_realm && (name = strchr(MK_USER, '@')))
+    *name = '\0';
+
   if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
      store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
 
@@ -1504,7 +1518,7 @@
    if (ap_is_initial_req(r) || MK_AUTH_TYPE == NULL)
       return 0;
    if (strcmp(MK_AUTH_TYPE, MECH_NEGOTIATE) ||
-       (strcmp(MK_AUTH_TYPE, "Basic") && strchr(MK_USER, '@')))
+       (strcmp(MK_AUTH_TYPE, "Basic") && MK_USER != NULL))
       return 1;
    return 0;
 }