From dcee5483997bdc1897131a0057030228b0890f8c Mon Sep 17 00:00:00 2001
From: Jan Pazdziora <jpazdziora@redhat.com>
Date: Wed, 8 Jan 2014 03:14:52 -0500
Subject: Add Kerberos authentication on /application/login, redirects to
 /application/login2 to show the form if it fails.

---
 auth_kerb.conf | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 auth_kerb.conf

diff --git a/auth_kerb.conf b/auth_kerb.conf
new file mode 100644
index 0000000..70b65a6
--- /dev/null
+++ b/auth_kerb.conf
@@ -0,0 +1,14 @@
+
+LoadModule auth_kerb_module modules/mod_auth_kerb.so
+
+<Location /application/login>
+  AuthType Kerberos
+  AuthName "Kerberos Login"
+  KrbMethodNegotiate On
+  KrbMethodK5Passwd Off
+  KrbAuthRealms EXAMPLE.COM
+  Krb5KeyTab /etc/http.keytab
+  require valid-user
+  ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>'
+</Location>
+
-- 
cgit 


From 0a30a04784947c37dd9239fdc49b477e40be31d8 Mon Sep 17 00:00:00 2001
From: Jan Pazdziora <jpazdziora@redhat.com>
Date: Wed, 8 Jan 2014 03:16:43 -0500
Subject: Allow /application/login2 to also be treated as login page.

---
 app.cgi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app.cgi b/app.cgi
index 2cd143a..d97ed8e 100755
--- a/app.cgi
+++ b/app.cgi
@@ -96,7 +96,7 @@ EOS
 }
 
 if (defined $ENV{PATH_INFO}) {
-	if ($ENV{PATH_INFO} eq $LOGIN) {
+	if (substr($ENV{PATH_INFO}, 0, length($LOGIN)) eq $LOGIN) {
 		login();
 		push @nav, qq!<a href="$ENV{SCRIPT_NAME}">Back to application</a>!;
 	} elsif ($ENV{PATH_INFO} eq $LOGOUT) {
-- 
cgit 


From 34abb53a91f5eec644c9367004a634b5b904b734 Mon Sep 17 00:00:00 2001
From: Jan Pazdziora <jpazdziora@redhat.com>
Date: Wed, 8 Jan 2014 03:24:37 -0500
Subject: Run Kerberos authentication through PAM access check for service
 wikiapp.

---
 auth_kerb.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/auth_kerb.conf b/auth_kerb.conf
index 70b65a6..de82528 100644
--- a/auth_kerb.conf
+++ b/auth_kerb.conf
@@ -1,5 +1,6 @@
 
 LoadModule auth_kerb_module modules/mod_auth_kerb.so
+LoadModule authnz_pam_module modules/mod_authnz_pam.so
 
 <Location /application/login>
   AuthType Kerberos
@@ -8,7 +9,7 @@ LoadModule auth_kerb_module modules/mod_auth_kerb.so
   KrbMethodK5Passwd Off
   KrbAuthRealms EXAMPLE.COM
   Krb5KeyTab /etc/http.keytab
-  require valid-user
+  require pam-account wikiapp
   ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>'
 </Location>
 
-- 
cgit 


From 2af64d9996f64ba91cd7c9154840245868f8656a Mon Sep 17 00:00:00 2001
From: Jan Pazdziora <jpazdziora@redhat.com>
Date: Wed, 8 Jan 2014 03:25:36 -0500
Subject: On /application/login2, try to PAM authenticate using the form
 submitted values.

---
 intercept_form_submit.conf | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 intercept_form_submit.conf

diff --git a/intercept_form_submit.conf b/intercept_form_submit.conf
new file mode 100644
index 0000000..ba80603
--- /dev/null
+++ b/intercept_form_submit.conf
@@ -0,0 +1,9 @@
+
+LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
+
+<Location /application/login2>
+InterceptFormPAMService wikiapp
+InterceptFormLogin login
+InterceptFormPassword password
+</Location>
+
-- 
cgit 


From cdaaa88a4c9b516080555aa8b9f9df65ad0b5b90 Mon Sep 17 00:00:00 2001
From: Jan Pazdziora <jpazdziora@redhat.com>
Date: Wed, 8 Jan 2014 03:28:09 -0500
Subject: For REMOTE_USER, process other attributes as well, provided by
 mod_lookup_identity.

---
 app.cgi              |  8 ++++++++
 lookup_identity.conf | 10 ++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 lookup_identity.conf

diff --git a/app.cgi b/app.cgi
index d97ed8e..badc13a 100755
--- a/app.cgi
+++ b/app.cgi
@@ -62,6 +62,14 @@ sub login {
 	my $error = '';
 	if (defined $ENV{REMOTE_USER}) {
 		$login = $ENV{REMOTE_USER};
+		if (defined $ENV{REMOTE_USER_EMAIL}) {
+			$login .= ": $ENV{REMOTE_USER_EMAIL}";
+		}
+		my $n = join ' ', grep defined $_, map $ENV{$_},
+			'REMOTE_USER_FIRSTNAME', 'REMOTE_USER_LASTNAME';
+		if ($n ne '') {
+			$login = "$n ($login)";
+		}
 	} elsif (defined $login) {
 		my $re = qr/^[-a-zA-Z0-9_.]+$/;
 		if ($login eq '' or not $login =~ $re) {
diff --git a/lookup_identity.conf b/lookup_identity.conf
new file mode 100644
index 0000000..8022d07
--- /dev/null
+++ b/lookup_identity.conf
@@ -0,0 +1,10 @@
+
+LoadModule lookup_identity_module modules/mod_lookup_identity.so
+
+<LocationMatch ^/application/login>
+LookupUserAttr mail REMOTE_USER_EMAIL " "
+LookupUserAttr givenname REMOTE_USER_FIRSTNAME
+LookupUserAttr sn REMOTE_USER_LASTNAME
+LookupUserGroups REMOTE_USER_GROUPS ":"
+</LocationMatch>
+
-- 
cgit