head 1.5; access; symbols; locks; strict; comment @# @; 1.5 date 2009.03.26.18.58.04; author rse; state Exp; branches; next 1.4; commitid 2d8Nwfbuhn5aIzHt; 1.4 date 2008.12.19.08.13.46; author rse; state Exp; branches; next 1.3; commitid eq54p2Tf1zfrg3vt; 1.3 date 2008.12.17.12.15.06; author rse; state Exp; branches; next 1.2; commitid nmwkdYQPVnhdFOut; 1.2 date 2007.12.22.13.27.43; author rse; state Exp; branches; next 1.1; commitid 4QkLXF51fb8zFqKs; 1.1 date 2007.10.09.18.13.00; author rse; state Exp; branches; next ; commitid ppSeJtWaglVTCWAs; desc @@ 1.5 log @modifying package: apache-kerberos-5.4 20081219 -> 20090326 @ text @Index: configure --- configure.orig 2006-11-22 11:33:58 +0100 +++ configure 2007-12-22 14:25:24 +0100 @@@@ -3933,7 +3933,6 @@@@ if test -z "$gssapi_supports_spnego"; then if test -n "$have_heimdal"; then SPNEGO_SRCS="\ spnegokrb5/asn1_MechType.c \ - spnegokrb5/asn1_MechTypeList.c \ spnegokrb5/asn1_ContextFlags.c \ spnegokrb5/asn1_NegTokenInit.c \ spnegokrb5/asn1_NegTokenTarg.c \ @@@@ -3941,6 +3940,11 @@@@ spnegokrb5/accept_sec_context.c \ spnegokrb5/encapsulate.c \ spnegokrb5/decapsulate.c \ + spnegokrb5/der_get.c \ + spnegokrb5/der_put.c \ + spnegokrb5/der_free.c \ + spnegokrb5/der_length.c \ + spnegokrb5/der_copy.c \ spnegokrb5/external.c" else SPNEGO_SRCS="\ spnegokrb5/asn1_MechType.c \ Index: spnegokrb5/der_get.c --- spnegokrb5/der_get.c.orig 2006-11-22 11:27:17 +0100 +++ spnegokrb5/der_get.c 2007-12-22 14:24:51 +0100 @@@@ -39,6 +39,17 @@@@ #include #endif +#include "config.h" +#ifdef HEIMDAL +#define der_get_length my_der_get_length +#define der_get_tag my_der_get_tag +#define der_match_tag my_der_match_tag +#define der_match_tag_and_length my_der_match_tag_and_length +#define der_get_octet_string my_der_get_octet_string +#define der_get_oid my_der_get_oid +#define der_get_general_string my_der_get_general_string +#endif + /* * All decoding functions take a pointer `p' to first position in * which to read, from the left, `len' which means the maximum number Index: spnegokrb5/der_put.c --- spnegokrb5/der_put.c.orig 2003-09-05 10:54:08 +0200 +++ spnegokrb5/der_put.c 2007-12-22 14:24:51 +0100 @@@@ -37,6 +37,16 @@@@ RCSID("$Id: apache-kerberos.patch,v 1.4 2008/12/19 08:13:46 rse Exp $"); #endif +#include "config.h" +#ifdef HEIMDAL +#define der_put_length my_der_put_length +#define der_put_oid my_der_put_oid +#define der_put_tag my_der_put_tag +#define der_put_length_and_tag my_der_put_length_and_tag +#define der_put_octet_string my_der_put_octet_string +#define der_put_general_string my_der_put_general_string +#endif + /* * All encoding functions take a pointer `p' to first position in * which to write, from the right, `len' which means the maximum Index: src/mod_auth_kerb.c --- src/mod_auth_kerb.c.orig 2008-12-04 11:14:03 +0100 +++ src/mod_auth_kerb.c 2009-03-26 19:47:27 +0100 @@@@ -170,6 +170,7 @@@@ char *krb_4_srvtab; int krb_method_k4pass; #endif + int krb_append_realm; } kerb_auth_config; typedef struct krb5_conn_data { @@@@ -247,6 +248,9 @@@@ FLAG, "Enable Kerberos V4 password authentication."), #endif + command("KrbAppendRealm", ap_set_flag_slot, krb_append_realm, + FLAG, "Append the realm name when setting $REMOTE_USER."), + { NULL } }; @@@@ -336,6 +340,7 @@@@ #ifdef KRB4 ((kerb_auth_config *)rec)->krb_method_k4pass = 1; #endif + ((kerb_auth_config *)rec)->krb_append_realm = 1; return rec; } @@@@ -525,6 +530,8 @@@@ if (sent_instance) user = apr_pstrcat(r->pool, user, ".", sent_instance, NULL); user = apr_pstrcat(r->pool, user, "@@", realm, NULL); + if (conf->krb_append_realm) + user = apr_pstrcat(r->pool, user, "@@", realm, NULL); MK_USER = user; MK_AUTH_TYPE = "Basic"; @@@@ -1064,6 +1071,8 @@@@ MK_AUTH_TYPE = "Basic"; free(name); + if (!conf->krb_append_realm && (name = strchr(MK_USER, '@@'))) + *name = '\0'; if (conf->krb_save_credentials) store_krb5_creds(kcontext, r, conf, ccache); @@@@ -1327,6 +1336,7 @@@@ gss_ctx_id_t context = GSS_C_NO_CONTEXT; gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL; OM_uint32 ret_flags = 0; + char *name = NULL; *negotiate_ret_value = "\0"; @@@@ -1461,6 +1471,8 @@@@ MK_AUTH_TYPE = MECH_NEGOTIATE; MK_USER = apr_pstrdup(r->pool, output_token.value); + if (!conf->krb_append_realm && (name = strchr(MK_USER, '@@'))) + *name = '\0'; if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL) store_gss_creds(r, conf, (char *)output_token.value, delegated_cred); @ 1.4 log @upgrading package: apache-kerberos 5.3 -> 5.4 @ text @d49 1 a49 1 RCSID("$Id: apache-kerberos.patch,v 1.3 2008/12/17 12:15:06 rse Exp $"); d65 64 @ 1.3 log @incorporate a patch for optional realm removal @ text @d49 1 a49 1 RCSID("$Id: apache-kerberos.patch,v 1.2 2007/12/22 13:27:43 rse Exp $"); a64 124 --- src/mod_auth_kerb.c.orig 2006-11-22 11:32:58.000000000 +0100 +++ src/mod_auth_kerb.c 2008-12-16 19:26:27.000000000 +0100 @@@@ -165,6 +165,7 @@@@ char *krb_5_keytab; int krb_method_gssapi; int krb_method_k5pass; + int krb5_auth_to_local; #endif #ifdef KRB4 char *krb_4_srvtab; @@@@ -227,6 +228,9 @@@@ command("KrbMethodK5Passwd", ap_set_flag_slot, krb_method_k5pass, FLAG, "Enable Kerberos V5 password authentication."), + + command("Krb5AuthToLocal", ap_set_flag_slot, krb5_auth_to_local, + FLAG, "Enable Kerberos V5 auth_to_local mapping."), #endif #ifdef KRB4 @@@@ -322,6 +326,7 @@@@ #ifdef KRB5 ((kerb_auth_config *)rec)->krb_method_k5pass = 1; ((kerb_auth_config *)rec)->krb_method_gssapi = 1; + ((kerb_auth_config *)rec)->krb5_auth_to_local = 0; #endif #ifdef KRB4 ((kerb_auth_config *)rec)->krb_method_k4pass = 1; @@@@ -746,6 +751,79 @@@@ } static int +do_krb5_an_to_ln(request_rec *r, const kerb_auth_config *conf, MK_POOL *p) +{ + const int lname_size = 1024; + + krb5_context kcontext; + krb5_principal princ; + krb5_error_code code; + char lname[lname_size]; + int ret; + + if (!conf->krb5_auth_to_local) { + return OK; + } + + ret = HTTP_INTERNAL_SERVER_ERROR; + + code = krb5_init_context(&kcontext); + if (code) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Cannot initialize Kerberos5 context (%d)", code); + return HTTP_INTERNAL_SERVER_ERROR; + } + + code = krb5_parse_name(kcontext, MK_USER, &princ); + if (code) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_parse_name() failed for name %s: %s", + MK_USER, + krb5_get_err_text(kcontext, code)); + krb5_free_context(kcontext); + return HTTP_INTERNAL_SERVER_ERROR; + } + + code = krb5_aname_to_localname(kcontext, princ, sizeof(lname), lname); + if (code) { + if (code != KRB5_LNAME_NOTRANS) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_aname_to_localname() failed: %s", + krb5_get_err_text(kcontext, code)); + /* fall through */ + } + else { + log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, + "krb5_aname_to_localname() found no " + "mapping for principal %s", + MK_USER); + /* fall through */ + } + } + else { + /* Does this belong in an authz handler? */ + if (!krb5_kuserok(kcontext, princ, lname)) { + log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, + "krb5_kuserok(%s, %s) == false", + MK_USER, lname); + ret = HTTP_UNAUTHORIZED; + } + else { + log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, + "doing auth_to_local: %s -> %s", + MK_USER, lname); + MK_USER = apr_pstrdup(p, lname); + ret = OK; + } + } + krb5_free_principal(kcontext, princ); + krb5_free_context(kcontext); + + return ret; +} + + +static int krb5_cache_cleanup(void *data) { krb5_context context; @@@@ -1536,9 +1614,15 @@@@ if (use_krb5 && conf->krb_method_gssapi && strcasecmp(auth_type, MECH_NEGOTIATE) == 0) { ret = authenticate_user_gss(r, conf, auth_line, &negotiate_ret_value); + if (ret == OK) { + ret = do_krb5_an_to_ln(r, conf, r->connection->pool); + } } else if (use_krb5 && conf->krb_method_k5pass && strcasecmp(auth_type, "Basic") == 0) { ret = authenticate_user_krb5pwd(r, conf, auth_line); + if (ret == OK) { + ret = do_krb5_an_to_ln(r, conf, r->pool); + } } #endif @ 1.2 log @fix Apache config and port to HEIMDAL @ text @d49 1 a49 1 RCSID("$Id: der_put.c,v 1.1 2003/09/05 08:54:08 kouril Exp $"); d65 124 @ 1.1 log @allow building against Heimdal, too @ text @d3 1 a3 1 +++ configure 2007-10-09 20:11:22 +0200 d12 53 @