diff options
| author | Jan Pazdziora <jpazdziora@redhat.com> | 2014-04-15 10:39:30 +0200 |
|---|---|---|
| committer | Jan Pazdziora <jpazdziora@redhat.com> | 2014-04-15 11:00:38 +0200 |
| commit | d65efefd864c1671a028a43179f14d8cf6e28402 (patch) | |
| tree | 2dbf037a9705a89c4cfd88335fe15aa5c05ad162 | |
| parent | 4c7b3a65841e8ee8e34d7686dab12db3f3cb05b1 (diff) | |
| download | mod_intercept_form_submit-d65efefd864c1671a028a43179f14d8cf6e28402.tar.gz mod_intercept_form_submit-d65efefd864c1671a028a43179f14d8cf6e28402.tar.xz mod_intercept_form_submit-d65efefd864c1671a028a43179f14d8cf6e28402.zip | |
Add support for InterceptFormLoginRealms.mod_intercept_form_submit-0.9.6
| -rw-r--r-- | README | 15 | ||||
| -rw-r--r-- | mod_intercept_form_submit.c | 40 | ||||
| -rw-r--r-- | mod_intercept_form_submit.spec | 5 |
3 files changed, 58 insertions, 2 deletions
@@ -75,6 +75,20 @@ Optional parameters: Default is off. + InterceptFormLoginRealms REALM1 [other REALM2] + + List of realm/domain names to append to the login and try + in cycle when the login does not contain the '@' sign. This + can be used for force particular realms without users being + forced to enter them. Empty string can be used in the list + to explicitly try authentication without any realm. + + This can be used with mod_auth_kerb's (default) + KrbMethodK5Passwd Off to present login names including realms + to web applications. + + By default, not modifications to login happens. + Example: LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so @@ -86,6 +100,7 @@ Example: InterceptFormLoginSkip admin InterceptFormClearRemoteUserForSkipped on InterceptFormPasswordRedact on + InterceptFormLoginRealms EXAMPLE.COM LAB.EXAMPLE.COM '' </Location> The PAM service needs to be configured. For the above shown diff --git a/mod_intercept_form_submit.c b/mod_intercept_form_submit.c index 44270a4..ac5f667 100644 --- a/mod_intercept_form_submit.c +++ b/mod_intercept_form_submit.c @@ -31,6 +31,7 @@ typedef struct ifs_config { char * pam_service; apr_hash_t * login_blacklist; int clear_blacklisted; + apr_array_header_t * realms; } ifs_config; typedef struct { @@ -62,6 +63,17 @@ static const char * add_login_to_blacklist(cmd_parms * cmd, void * conf_void, co return NULL; } +static const char * add_realm(cmd_parms * cmd, void * conf_void, const char * arg) { + ifs_config * cfg = (ifs_config *) conf_void; + if (cfg) { + if (! cfg->realms) { + cfg->realms = apr_array_make(cmd->pool, 1, sizeof(char *)); + } + *(const char **) apr_array_push(cfg->realms) = arg; + } + return NULL; +} + static const command_rec directives[] = { AP_INIT_TAKE1("InterceptFormLogin", ap_set_string_slot, (void *)APR_OFFSETOF(ifs_config, login_name), ACCESS_CONF, "Name of the login parameter in the POST request"), AP_INIT_TAKE1("InterceptFormPassword", ap_set_string_slot, (void *)APR_OFFSETOF(ifs_config, password_name), ACCESS_CONF, "Name of the password parameter in the POST request"), @@ -69,6 +81,7 @@ static const command_rec directives[] = { AP_INIT_TAKE1("InterceptFormPAMService", ap_set_string_slot, (void *)APR_OFFSETOF(ifs_config, pam_service), ACCESS_CONF, "PAM service to authenticate against"), AP_INIT_ITERATE("InterceptFormLoginSkip", add_login_to_blacklist, NULL, ACCESS_CONF, "Login name(s) for which no PAM authentication will be done"), AP_INIT_FLAG("InterceptFormClearRemoteUserForSkipped", ap_set_flag_slot, (void *)APR_OFFSETOF(ifs_config, clear_blacklisted), ACCESS_CONF, "When authentication is skipped for users listed with InterceptFormLoginSkip, clear r->user and REMOTE_USER"), + AP_INIT_ITERATE("InterceptFormLoginRealms", add_realm, NULL, ACCESS_CONF, "Realm(s) that will be appended to login name which does not have one"), { NULL } }; @@ -137,6 +150,30 @@ static char * intercept_form_submit_process_keyval(apr_pool_t * pool, const char return ret; } +static authn_status pam_authenticate_in_realms(request_rec * r, const char * pam_service, + const char * login, const char * password, apr_array_header_t * realms, int steps) { + + if (strchr(login, '@') || (! realms) || (! realms->nelts)) { + return pam_authenticate_with_login_password_fn(r, pam_service, login, password, steps); + } + // pam_authenticate_with_login_password_fn(r, config->pam_service, *login_value, *password_value, 3); + + authn_status first_status = AUTH_GENERAL_ERROR; + int i; + for (i = 0; i < realms->nelts; i++) { + const char * realm = ((const char**)realms->elts)[i]; + const char * full_login = login; + if (realm && strlen(realm)) + full_login = apr_pstrcat(r->pool, login, "@", realm, NULL); + authn_status status = pam_authenticate_with_login_password_fn(r, pam_service, full_login, password, steps); + if (status == AUTH_GRANTED) + return status; + if (i == 0) + first_status = status; + } + return first_status; +} + #define _REDACTED_STRING "[REDACTED]" static void intercept_form_redact_password(ap_filter_t * f, ifs_config * config) { request_rec * r = f->r; @@ -250,7 +287,7 @@ static int intercept_form_submit_process_buffer(ap_filter_t * f, ifs_config * co ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, "mod_intercept_form_submit: pam_authenticate_with_login_password not found; perhaps mod_authnz_pam is not loaded"); return 0; } - authn_status auth_result = pam_authenticate_with_login_password_fn(r, config->pam_service, *login_value, *password_value, 3); + authn_status auth_result = pam_authenticate_in_realms(r, config->pam_service, *login_value, *password_value, config->realms, 3); if (auth_result == AUTH_GRANTED) { if (lookup_identity_hook_fn) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "mod_intercept_form_submit: calling lookup_identity_hook"); @@ -438,6 +475,7 @@ static void * merge_dir_conf(apr_pool_t * pool, void * base_void, void * add_voi } else if (base->login_blacklist) { cfg->login_blacklist = base->login_blacklist; } + cfg->realms = add->realms ? add->realms : base->realms; return cfg; } diff --git a/mod_intercept_form_submit.spec b/mod_intercept_form_submit.spec index 8c23818..eb207d4 100644 --- a/mod_intercept_form_submit.spec +++ b/mod_intercept_form_submit.spec @@ -7,7 +7,7 @@ Summary: Apache module to intercept login form submission and run PAM authentication Name: mod_intercept_form_submit -Version: 0.9.5 +Version: 0.9.6 Release: 1%{?dist} License: ASL 2.0 Group: System Environment/Daemons @@ -58,6 +58,9 @@ install -Dp -m 0644 intercept_form_submit.conf $RPM_BUILD_ROOT%{_httpd_confdir}/ %{_httpd_moddir}/*.so %changelog +* Tue Apr 15 2014 Jan Pazdziora <jpazdziora@redhat.com> - 0.9.6-1 +- Add support for InterceptFormLoginRealms. + * Thu Jan 30 2014 Jan Pazdziora <jpazdziora@redhat.com> - 0.9.5-1 - 1058809 - .spec changes for Fedora package review. |