diff options
| author | Simo Sorce <simo@redhat.com> | 2015-04-14 13:52:05 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2015-04-14 13:52:05 -0400 |
| commit | 0cea28e5b05b340bbb3b2b60e3a326a6a7d1fcb0 (patch) | |
| tree | cda4a8656f0244a943441578ed158ab922a81c39 /src | |
| parent | 384f937f4cd9c7c09ed9226b620fe33912fe46e5 (diff) | |
| download | mod_auth_gssapi-0cea28e5b05b340bbb3b2b60e3a326a6a7d1fcb0.tar.gz mod_auth_gssapi-0cea28e5b05b340bbb3b2b60e3a326a6a7d1fcb0.tar.xz mod_auth_gssapi-0cea28e5b05b340bbb3b2b60e3a326a6a7d1fcb0.zip | |
Add support for delegate creds on basic auth
When doing fallback basic auth, we may also want to honor the
configured directive about storing delegated credentials.
Detect if we are configured to store them and set the appopriate
init_sec_context flag that will cause the accept_sec_context call
to get valid delegated credentials for later storage.
Diffstat (limited to 'src')
| -rw-r--r-- | src/mod_auth_gssapi.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index e233110..b168dbf 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -239,6 +239,7 @@ static int mag_auth(request_rec *req) const char *user_ccache = NULL; const char *orig_ccache = NULL; #endif + uint32_t init_flags = 0; type = ap_auth_type(req); if ((type == NULL) || (strcasecmp(type, "GSSAPI") != 0)) { @@ -445,9 +446,15 @@ static int mag_auth(request_rec *req) "failed", maj, min)); goto done; } + + if (cfg->deleg_ccache_dir) { + /* delegate ourselves credentials so we store them as requested */ + init_flags |= GSS_C_DELEG_FLAG; + } + /* output and input are inverted here, this is intentional */ maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, - GSS_C_NO_OID, 0, 300, + GSS_C_NO_OID, init_flags, 300, GSS_C_NO_CHANNEL_BINDINGS, &output, NULL, &input, NULL, NULL); if (GSS_ERROR(maj)) { @@ -473,7 +480,7 @@ static int mag_auth(request_rec *req) gss_release_buffer(&min, &input); /* output and input are inverted here, this is intentional */ maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, - GSS_C_NO_OID, 0, 300, + GSS_C_NO_OID, init_flags, 300, GSS_C_NO_CHANNEL_BINDINGS, &output, NULL, &input, NULL, NULL); if (GSS_ERROR(maj)) { |