1 int kerb_authenticate_user(request_rec *r) {
2 const char *name; /* AuthName specified */
3 const char *type; /* AuthType specified */
4 int KerberosV5 = 0; /* Kerberos V5 check enabled */
5 int KerberosV4 = 0; /* Kerberos V4 check enabled */
6 int KerberosV4first = 0; /* Kerberos V4 check first */
7 const char *sent_pw; /* Password sent by browser */
8 const char *t; /* Return value holder */
9 int res; /* Response holder */
10 int retcode; /* Return code holder */
12 kerb_auth_config *conf =
13 (kerb_auth_config *)ap_get_module_config(r->per_dir_config,
16 const char *auth_line = apr_table_get(r->headers_in,
17 (PROXYREQ_PROXY == r->proxyreq)
18 ? "Proxy-Authorization"
21 type = ap_auth_type(r);
25 if ((strncasecmp(type, "KerberosV5", 10) == 0) ||
26 (strncasecmp(conf->krb_auth_type, "KerberosV5", 10) == 0)) {
32 if ((strncasecmp(type, "KerberosV4", 10) == 0) ||
33 (strncasecmp(conf->krb_auth_type, "KerberosV4", 10) == 0)) {
38 #if defined(KRB5) && defined(KRB4)
39 if ((strncasecmp(type, "KerberosDualV5V4", 15) == 0) ||
40 (strncasecmp(conf->krb_auth_type, "KerberosDualV5V4", 15) == 0)) {
45 if ((strncasecmp(type, "KerberosDualV4V5", 15) == 0) ||
46 (strncasecmp(conf->krb_auth_type, "KerberosDualV4V5", 15) == 0)) {
51 #endif /* KRB5 && KRB4 */
54 if (!KerberosV4 && !KerberosV5) {
55 if (conf->krb_authoritative) {
56 return HTTP_UNAUTHORIZED;
63 name = ap_auth_name(r);
65 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR,
66 0, r, "need AuthName: %s", r->uri);
67 return HTTP_INTERNAL_SERVER_ERROR;
71 apr_table_set(r->err_headers_out, "WWW-Authenticate",
72 (char *)apr_pstrcat(r->pool, "Basic realm=\"", name, "\"", NULL));
73 return HTTP_UNAUTHORIZED;
76 type = ap_getword_white(r->pool, &auth_line);
77 t = ap_pbase64decode(r->pool, auth_line);
78 r->user = ap_getword_nulls(r->pool, &t, ':');
79 r->ap_auth_type = "Kerberos";
80 sent_pw = ap_getword_white(r->pool, &t);
85 if (KerberosV5 && !KerberosV4first && retcode != OK) {
86 r->ap_auth_type = "KerberosV5";
87 if (kerb5_password_validate(r->user, sent_pw)) {
91 retcode = conf->krb_fail_status;
97 if (KerberosV4 && retcode != OK) {
98 r->ap_auth_type = "KerberosV4";
99 if (kerb4_password_validate(r->user, sent_pw)) {
103 retcode = conf->krb_fail_status;
108 #if defined(KRB5) && defined(KRB4)
109 if (KerberosV5 && KerberosV4first && retcode != OK) {
110 r->ap_auth_type = "KerberosV5";
111 if (kerb5_password_validate(r->user, sent_pw)) {
115 retcode = conf->krb_fail_status;
118 #endif /* KRB5 && KRB4 */
120 if (conf->krb_authoritative && retcode == DECLINED) {
121 return HTTP_UNAUTHORIZED;