2 * rlm_krb5.c module to authenticate against krb5
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Copyright 2000 The FreeRADIUS server project
21 * Copyright 2000 Nathan Neulinger <nneul@umr.edu>
22 * Copyright 2000 Alan DeKok <aland@ox.org>
26 static const char rcsid[] = "$Id$";
29 #include "libradius.h"
43 static int krb5_instantiate(CONF_SECTION *conf, void **instance)
46 krb5_context *context;
48 context = rad_malloc(sizeof(*context));
50 if ((r = krb5_init_context(context)) ) {
51 radlog(L_AUTH, "rlm_krb5: krb5_init failed: %s",
55 radlog(L_AUTH, "rlm_krb5: krb5_init ok");
63 static int krb5_detach(void *instance)
69 /* validate userid/passwd */
70 static int krb5_auth(void *instance, REQUEST *request)
79 krb5_context context = *(krb5_context *) instance; /* copy data */
80 const char *user, *pass;
83 * We can only authenticate user requests which HAVE
84 * a User-Name attribute.
86 if (!request->username) {
87 radlog(L_AUTH, "rlm_krb5: Attribute \"User-Name\" is required for authentication.");
88 return RLM_MODULE_INVALID;
92 * We can only authenticate user requests which HAVE
93 * a User-Password attribute.
95 if (!request->password) {
96 radlog(L_AUTH, "rlm_krb5: Attribute \"User-Password\" is required for authentication.");
97 return RLM_MODULE_INVALID;
101 * Ensure that we're being passed a plain-text password,
102 * and not anything else.
104 if (request->password->attribute != PW_PASSWORD) {
105 radlog(L_AUTH, "rlm_krb5: Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
106 return RLM_MODULE_INVALID;
112 user = request->username->strvalue;
113 pass = request->password->strvalue;
116 * Actually perform the authentication
118 memset((char *)&kcreds, 0, sizeof(kcreds));
120 if ( (r = krb5_parse_name(context, user, &kcreds.client)) ) {
121 radlog(L_AUTH, "rlm_krb5: [%s] krb5_parse_name failed: %s",
122 user, error_message(r));
123 return RLM_MODULE_REJECT;
126 if ( (r = krb5_build_principal_ext(context, &kcreds.server,
127 krb5_princ_realm(context, kcreds.client)->length,
128 krb5_princ_realm(context, kcreds.client)->data,
131 krb5_princ_realm(context, kcreds.client)->length,
132 krb5_princ_realm(context, kcreds.client)->data,
134 radlog(L_AUTH, "rlm_krb5: [%s] krb5_build_principal_ext failed: %s",
135 user, error_message(r));
136 return RLM_MODULE_REJECT;
139 if ( (r = krb5_get_in_tkt_with_password(context,
140 0, NULL, NULL, NULL, pass, 0, &kcreds, 0)) ) {
141 radlog(L_AUTH, "rlm_krb5: [%s] krb5_g_i_t_w_p failed: %s",
142 user, error_message(r));
143 return RLM_MODULE_REJECT;
145 return RLM_MODULE_OK;
148 return RLM_MODULE_REJECT;
151 module_t rlm_krb5 = {
153 RLM_TYPE_THREAD_UNSAFE, /* type: not thread safe */
154 NULL, /* initialize */
155 krb5_instantiate, /* instantiation */
157 krb5_auth, /* authenticate */
158 NULL, /* authorize */
159 NULL, /* pre-accounting */
160 NULL, /* accounting */
161 NULL, /* checksimul */
162 NULL, /* pre-proxy */
163 NULL, /* post-proxy */
166 krb5_detach, /* detach */