mod_auth_gssapi.git/src, branch perms A GSSAPI based replacement for the aging mod_auth_kerb. Add option to set custom permissions on ccache 2016-11-02T13:09:41+00:00 Simo Sorce simo@redhat.com 2016-11-02T10:34:11+00:00 4ed98d156122f748c6f0d4fed183944d52e245e7 This allows apache to set permission so that another user in the default group can access the ccache. Useful when apache passes the request to a process running under a different user or group id number. Signed-off-by: Simo Sorce <simo@redhat.com> 
This allows apache to set permission so that another user in the default
group can access the ccache. Useful when apache passes the request to a
process running under a different user or group id number.

Signed-off-by: Simo Sorce <simo@redhat.com>
Write 'Persistent-Auth' header to err_headers_out 2016-10-11T13:01:23+00:00 Michael Osipov 1983-01-06@gmx.net 2016-10-11T11:53:14+00:00 912738edbf248c9d9c2960cd4ff1daaa855e6c7e In some cases, like internal redirects, authentication is completed but our 'Persistent-Auth' header is dropped by the server because headers_out is ignored with errors (4xx, 5xx) and internal redirects. See: https://ci.apache.org/projects/httpd/trunk/doxygen/structrequest__rec.html#a9f49c2d5680987c0c28466ea37d41a62 This fixes #110 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Isaac Boukris <iboukris@gmail.com> Closes #111 
In some cases, like internal redirects, authentication is completed but our
'Persistent-Auth' header is dropped by the server because headers_out is ignored
with errors (4xx, 5xx) and internal redirects.

See: https://ci.apache.org/projects/httpd/trunk/doxygen/structrequest__rec.html#a9f49c2d5680987c0c28466ea37d41a62

This fixes #110

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Isaac Boukris <iboukris@gmail.com>
Closes #111
Declare mag_complete outside the ifdef block 2016-10-11T12:59:32+00:00 Simo Sorce simo@redhat.com 2016-10-07T14:01:26+00:00 1e3ebb21677943d7e79f77d31d21cfcdf51314f0 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com> Fixes #106 Closes #107 
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Fixes #106
Closes #107
Fix behavior of NULL ccname for cookie creation 2016-08-15T18:32:45+00:00 Robbie Harwood rharwood@redhat.com 2016-07-22T18:23:31+00:00 3ef79e28b4996750a07874f80282acc0351ef675 This resolves an issue where the session cookie would not be populated when sesions were used but unique ccaches were not. Based on a report from Bhagavan Das. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #98 
This resolves an issue where the session cookie would not be populated
when sesions were used but unique ccaches were not.

Based on a report from Bhagavan Das.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #98
Add compatibility with OpenSSL 1.1.0 2016-07-06T20:16:22+00:00 Simo Sorce simo@redhat.com 2016-07-01T14:30:42+00:00 86aaf37e4ca95145512c56e3643bcbcb0e534b57 In their continued wisdom OpenSSL developers keep breaking APIs left and right with very poor documentation and forward/backward source compatibility. Signed-off-by: Simo Sorce <simo@redhat.com> Closes #96 Closes #97 
In their continued wisdom OpenSSL developers keep breaking APIs left and
right with very poor documentation and forward/backward source compatibility.

Signed-off-by: Simo Sorce <simo@redhat.com>
Closes #96
Closes #97
Insure the asn1 definitions are in the tarball 2016-06-15T15:04:08+00:00 Simo Sorce simo@redhat.com 2016-06-15T04:32:51+00:00 3e0f4e980b4bea2f4f347fc39ea3deddf95fe71e Signed-off-by: Simo Sorce <simo@redhat.com> Close #95 
Signed-off-by: Simo Sorce <simo@redhat.com>
Close #95
Move context loops to a helper function 2016-06-15T15:03:44+00:00 Simo Sorce simo@redhat.com 2016-06-09T14:08:16+00:00 71995938f931ac8e5723777412ae85817c9b4ff8 This work simplifies the calling code and reduces duplication. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Reviewed-by: Isaac Boukris <iboukris@gmail.com> Close #94 
This work simplifies the calling code and reduces duplication.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Reviewed-by: Isaac Boukris <iboukris@gmail.com>
Close #94
Postpone adding spnego mech to mech list 2016-06-09T20:15:05+00:00 Simo Sorce simo@redhat.com 2016-06-08T12:54:14+00:00 56c4cb5dd4c09a4996674e9006bf1aeb69183499 Add the SPNEGO mech oid only if we are performing negotiate auth. This cacthes earlier, with a hard failure, the case where a mechanism defined on the command line is not available, by checking if there are any desired mechs. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Isaac Boukris <iboukris@gmail.com> Close #93 
Add the SPNEGO mech oid only if we are performing negotiate auth.
This cacthes earlier, with a hard failure, the case where a mechanism defined
on the command line is not available, by checking if there are any desired
mechs.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Isaac Boukris <iboukris@gmail.com>
Close #93
Add support for GssapiImpersonate. 2016-06-09T14:11:43+00:00 Jan Pazdziora jpazdziora@redhat.com 2016-05-28T06:31:32+00:00 d1710aff7c72263f691f09f20f91922a3ce57cfc This is can be enabled on locations that are authenticated by another module to obtain a ticket for the user, so that the application gets access to krb5 credentials and all named attributes for the client. The service needs to be authorized by the KDC if there is the need to use credentials for further ticket acquisition by setting the ok_to_auth_as_delegate flag on the service principal. This will provide a forwardable ticket that can be used to obtain additional tickets via consrained delegation (also subkect to KDC access control). Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Signed-off-by: Simo Sorce <simo@redhat.com> Close #92 
This is can be enabled on locations that are authenticated by another module
to obtain a ticket for the user, so that the application gets access to
krb5 credentials and all named attributes for the client.

The service needs to be authorized by the KDC if there is the need to use
credentials for further ticket acquisition by setting the
ok_to_auth_as_delegate flag on the service principal. This will provide a
forwardable ticket that can be used to obtain additional tickets via consrained
delegation (also subkect to KDC access control).

Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Close #92
Split the book keeping operations into a function 2016-06-09T14:11:18+00:00 Simo Sorce simo@redhat.com 2016-06-07T09:20:23+00:00 17c292a0b4f7ce7c08780c17c1300721c3256031 This will be used in a following patch that perform gssapi operations using a different path but need to perform the same bookj keeping as the main auth path. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com> 
This will be used in a following patch that perform gssapi operations
using a different path but need to perform the same bookj keeping as the
main auth path.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com>