diff options
author | Simo Sorce <simo@redhat.com> | 2014-03-08 14:23:28 -0500 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2014-03-08 14:57:42 -0500 |
commit | 60509195fb41173ba8e6cfac8bf800935ebb86ad (patch) | |
tree | 477b181d1f794178bd46586e89a1382059ae17bb | |
parent | 84983406874813aeeba1d5e45a020c516ccd1b7c (diff) | |
download | mod_auth_gssapi-60509195fb41173ba8e6cfac8bf800935ebb86ad.tar.gz mod_auth_gssapi-60509195fb41173ba8e6cfac8bf800935ebb86ad.tar.xz mod_auth_gssapi-60509195fb41173ba8e6cfac8bf800935ebb86ad.zip |
Add option to map GSS Name to local Name
Always preserves the received name in GSS_NAME.
In the kereberos case this will result in the environment variable
called GSS_NAME the user's principal, while REMOTE_USER will contain
the user name as mapped by the kerberos library.
-rw-r--r-- | src/mod_auth_gssapi.c | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 4e7e3dc..e6fb209 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -38,6 +38,7 @@ module AP_MODULE_DECLARE_DATA mag_module; struct mag_config { bool ssl_only; + bool map_to_local; gss_key_value_set_desc cred_store; }; @@ -100,6 +101,9 @@ static int mag_auth(request_rec *req) uint32_t maj, min; char *reply; size_t replen; + char *clientname; + gss_OID mech_type = GSS_C_NO_OID; + gss_buffer_desc lname = GSS_C_EMPTY_BUFFER; type = ap_auth_type(req); if ((type == NULL) || (strcasecmp(type, "GSSAPI") != 0)) { @@ -132,7 +136,7 @@ static int mag_auth(request_rec *req) * should work with Krb, will fail with NTLMSSP */ maj = gss_accept_sec_context(&min, &ctx, GSS_C_NO_CREDENTIAL, &input, GSS_C_NO_CHANNEL_BINDINGS, - &client, NULL, &output, &flags, NULL, + &client, &mech_type, &output, &flags, NULL, &delegated_cred); if (GSS_ERROR(maj)) { ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, @@ -170,7 +174,22 @@ static int mag_auth(request_rec *req) #endif req->ap_auth_type = apr_pstrdup(req->pool, "Negotiate"); - req->user = apr_pstrndup(req->pool, name.value, name.length); + + /* Always set the GSS name in an env var */ + clientname = apr_pstrndup(req->pool, name.value, name.length); + apr_table_set(req->subprocess_env, "GSS_NAME", clientname); + + if (cfg->map_to_local) { + maj = gss_localname(&min, client, mech_type, &lname); + if (maj != GSS_S_COMPLETE) { + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + mag_error(req, "gss_localname() failed", maj, min)); + goto done; + } + req->user = apr_pstrndup(req->pool, lname.value, lname.length); + } else { + req->user = clientname; + } ret = OK; done: @@ -182,6 +201,7 @@ done: gss_release_name(&min, &client); gss_release_buffer(&min, &name); gss_delete_sec_context(&min, &ctx, GSS_C_NO_BUFFER); + gss_release_buffer(&min, &lname); return ret; } @@ -203,6 +223,13 @@ static const char *mag_ssl_only(cmd_parms *parms, void *mconfig, int on) return NULL; } +static const char *mag_map_to_local(cmd_parms *parms, void *mconfig, int on) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + cfg->map_to_local = on ? true : false; + return NULL; +} + static const char *mag_cred_store(cmd_parms *parms, void *mconfig, const char *w) { @@ -252,6 +279,8 @@ static const char *mag_cred_store(cmd_parms *parms, void *mconfig, static const command_rec mag_commands[] = { AP_INIT_FLAG("GSSSSLOnly", mag_ssl_only, NULL, OR_AUTHCFG, "Work only if connection is SSL Secured"), + AP_INIT_FLAG("GSSLocalName", mag_map_to_local, NULL, OR_AUTHCFG, + "Work only if connection is SSL Secured"), AP_INIT_ITERATE("GSSCredStore", mag_cred_store, NULL, OR_AUTHCFG, "Credential Store"), { NULL } |