diff options
| author | Simo Sorce <simo@redhat.com> | 2015-05-25 15:53:44 +0200 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2015-05-26 13:09:25 -0400 |
| commit | 604ffd0c49a6541cec07d0e4aac1fea02408f15b (patch) | |
| tree | bb487b5ef177d1d23e6a68c5856077bc460bf87b /src | |
| parent | 435bf2e0f4fac0378fb44e013d8d68ac18fb1565 (diff) | |
| download | mod_auth_gssapi-604ffd0c49a6541cec07d0e4aac1fea02408f15b.tar.gz mod_auth_gssapi-604ffd0c49a6541cec07d0e4aac1fea02408f15b.tar.xz mod_auth_gssapi-604ffd0c49a6541cec07d0e4aac1fea02408f15b.zip | |
Find the right server name when using basic auth
When S4U2Proxy is used in combination with Basic Auth, the gss_inquire_cred()
call will return the client name instead of the server name we need.
Detect this case and aquire a separate set of credentials in that case.
Fixes #28
Diffstat (limited to 'src')
| -rw-r--r-- | src/mod_auth_gssapi.c | 32 |
1 files changed, 31 insertions, 1 deletions
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index edb5d0a..c1cb068 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -206,6 +206,7 @@ static int mag_auth(request_rec *req) gss_name_t client = GSS_C_NO_NAME; gss_cred_id_t user_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL; + gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL; gss_cred_usage_t cred_usage = GSS_C_ACCEPT; uint32_t flags; @@ -427,7 +428,33 @@ static int mag_auth(request_rec *req) goto done; } } - maj = gss_inquire_cred(&min, acquired_cred, &server, + if (cred_usage == GSS_C_BOTH) { + /* If GSS_C_BOTH is used then inquire_cred will return the client + * name instead of the SPN of the server credentials. Therefore we + * need to acquire a different set of credential setting + * GSS_C_ACCEPT explicitly */ + if (cfg->cred_store) { + maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME, + GSS_C_INDEFINITE, GSS_C_NO_OID_SET, + GSS_C_ACCEPT, cfg->cred_store, + &server_cred, NULL, NULL); + } else { + /* Try to acquire default creds */ + maj = gss_acquire_cred(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE, + GSS_C_NO_OID_SET, GSS_C_ACCEPT, + &server_cred, NULL, NULL); + } + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", + mag_error(req, "gss_acquire_cred[_from]() " + "failed to get server creds", + maj, min)); + goto done; + } + } else { + server_cred = acquired_cred; + } + maj = gss_inquire_cred(&min, server_cred, &server, NULL, NULL, NULL); if (GSS_ERROR(maj)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, @@ -435,6 +462,9 @@ static int mag_auth(request_rec *req) "failed", maj, min)); goto done; } + if (server_cred != acquired_cred) { + gss_release_cred(&min, &server_cred); + } if (cfg->deleg_ccache_dir) { /* delegate ourselves credentials so we store them as requested */ |