--with-rlm-krb5-lib-dir=DIR Directory for krb5 library files []"
ac_help="$ac_help
--with-rlm-krb5-include-dir=DIR Directory for krb5 include files []"
+ac_help="$ac_help
+ --enable-heimdal-krb5 Enable if you have heimdal krb5"
# Initialize some variables set by options.
# The variables have the same names as the options, with
fi
-# From configure.in Revision: 1.5
+# From configure.in Revision: 1.6
if test x$with_rlm_krb5 != xno; then
# Extract the first word of "gcc", so it can be a program name with args.
set dummy gcc; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:537: checking for $ac_word" >&5
+echo "configure:539: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Extract the first word of "cc", so it can be a program name with args.
set dummy cc; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:567: checking for $ac_word" >&5
+echo "configure:569: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Extract the first word of "cl", so it can be a program name with args.
set dummy cl; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:618: checking for $ac_word" >&5
+echo "configure:620: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
fi
echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6
-echo "configure:650: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
+echo "configure:652: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
ac_ext=c
# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
cat > conftest.$ac_ext << EOF
-#line 661 "configure"
+#line 663 "configure"
#include "confdefs.h"
main(){return(0);}
EOF
-if { (eval echo configure:666: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:668: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
ac_cv_prog_cc_works=yes
# If we can't run a trivial program, we are probably using a cross compiler.
if (./conftest; exit) 2>/dev/null; then
{ echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
fi
echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
-echo "configure:692: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "configure:694: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
cross_compiling=$ac_cv_prog_cc_cross
echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
-echo "configure:697: checking whether we are using GNU C" >&5
+echo "configure:699: checking whether we are using GNU C" >&5
if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
yes;
#endif
EOF
-if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:706: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:708: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
ac_cv_prog_gcc=yes
else
ac_cv_prog_gcc=no
ac_save_CFLAGS="$CFLAGS"
CFLAGS=
echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
-echo "configure:725: checking whether ${CC-cc} accepts -g" >&5
+echo "configure:727: checking whether ${CC-cc} accepts -g" >&5
if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
fi
echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6
-echo "configure:757: checking how to run the C preprocessor" >&5
+echo "configure:759: checking how to run the C preprocessor" >&5
# On Suns, sometimes $CPP names a directory.
if test -n "$CPP" && test -d "$CPP"; then
CPP=
# On the NeXT, cc -E runs the code through the compiler's parser,
# not just through cpp.
cat > conftest.$ac_ext <<EOF
-#line 772 "configure"
+#line 774 "configure"
#include "confdefs.h"
#include <assert.h>
Syntax Error
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:778: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:780: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
:
rm -rf conftest*
CPP="${CC-cc} -E -traditional-cpp"
cat > conftest.$ac_ext <<EOF
-#line 789 "configure"
+#line 791 "configure"
#include "confdefs.h"
#include <assert.h>
Syntax Error
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:795: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:797: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
:
rm -rf conftest*
CPP="${CC-cc} -nologo -E"
cat > conftest.$ac_ext <<EOF
-#line 806 "configure"
+#line 808 "configure"
#include "confdefs.h"
#include <assert.h>
Syntax Error
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:812: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:814: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
:
fi
+ # Check whether --enable-heimdal-krb5 or --disable-heimdal-krb5 was given.
+if test "${enable_heimdal_krb5+set}" = set; then
+ enableval="$enable_heimdal_krb5"
+ case "$enableval" in
+ yes)
+ krb5_h_cflags="-DHEIMDAL_KRB5"
+ ;;
+ esac
+
+fi
+
+
smart_try_dir=$rlm_krb5_include_dir
ac_safe=`echo "krb5.h" | sed 'y%./+-%__pm%'`
echo $ac_n "checking for krb5.h""... $ac_c" 1>&6
-echo "configure:878: checking for krb5.h" >&5
+echo "configure:892: checking for krb5.h" >&5
smart_include=
smart_include_dir=
old_CFLAGS="$CFLAGS"
cat > conftest.$ac_ext <<EOF
-#line 885 "configure"
+#line 899 "configure"
#include "confdefs.h"
#include <krb5.h>
int a = 1;
; return 0; }
EOF
-if { (eval echo configure:893: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:907: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
smart_include=" "
else
CFLAGS="$old_CFLAGS -I$try"
cat > conftest.$ac_ext <<EOF
-#line 937 "configure"
+#line 951 "configure"
#include "confdefs.h"
#include <krb5.h>
int a = 1;
; return 0; }
EOF
-if { (eval echo configure:945: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:959: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
smart_include="-I$try"
else
sm_lib_safe=`echo "k5crypto" | sed 'y%./+-%__p_%'`
sm_func_safe=`echo "krb5_encrypt_data" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for krb5_encrypt_data in -lk5crypto""... $ac_c" 1>&6
-echo "configure:980: checking for krb5_encrypt_data in -lk5crypto" >&5
+echo "configure:994: checking for krb5_encrypt_data in -lk5crypto" >&5
smart_lib=
smart_lib_dir=
old_LIBS="$LIBS"
LIBS="$LIBS -lk5crypto"
cat > conftest.$ac_ext <<EOF
-#line 988 "configure"
+#line 1002 "configure"
#include "confdefs.h"
extern char krb5_encrypt_data();
int main() {
krb5_encrypt_data()
; return 0; }
EOF
-if { (eval echo configure:995: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1009: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
smart_lib="-lk5crypto"
else
LIBS="$old_LIBS -L$try -lk5crypto"
cat > conftest.$ac_ext <<EOF
-#line 1064 "configure"
+#line 1078 "configure"
#include "confdefs.h"
extern char krb5_encrypt_data();
int main() {
krb5_encrypt_data()
; return 0; }
EOF
-if { (eval echo configure:1071: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1085: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
smart_lib="-L$try -lk5crypto"
else
sm_lib_safe=`echo "crypto" | sed 'y%./+-%__p_%'`
sm_func_safe=`echo "DH_new" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for DH_new in -lcrypto""... $ac_c" 1>&6
-echo "configure:1104: checking for DH_new in -lcrypto" >&5
+echo "configure:1118: checking for DH_new in -lcrypto" >&5
smart_lib=
smart_lib_dir=
old_LIBS="$LIBS"
LIBS="$LIBS -lcrypto"
cat > conftest.$ac_ext <<EOF
-#line 1112 "configure"
+#line 1126 "configure"
#include "confdefs.h"
extern char DH_new();
int main() {
DH_new()
; return 0; }
EOF
-if { (eval echo configure:1119: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1133: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
smart_lib="-lcrypto"
else
LIBS="$old_LIBS -L$try -lcrypto"
cat > conftest.$ac_ext <<EOF
-#line 1188 "configure"
+#line 1202 "configure"
#include "confdefs.h"
extern char DH_new();
int main() {
DH_new()
; return 0; }
EOF
-if { (eval echo configure:1195: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1209: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
smart_lib="-L$try -lcrypto"
else
sm_lib_safe=`echo "com_err" | sed 'y%./+-%__p_%'`
sm_func_safe=`echo "set_com_err_hook" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for set_com_err_hook in -lcom_err""... $ac_c" 1>&6
-echo "configure:1232: checking for set_com_err_hook in -lcom_err" >&5
+echo "configure:1246: checking for set_com_err_hook in -lcom_err" >&5
smart_lib=
smart_lib_dir=
old_LIBS="$LIBS"
LIBS="$LIBS -lcom_err"
cat > conftest.$ac_ext <<EOF
-#line 1240 "configure"
+#line 1254 "configure"
#include "confdefs.h"
extern char set_com_err_hook();
int main() {
set_com_err_hook()
; return 0; }
EOF
-if { (eval echo configure:1247: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1261: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
smart_lib="-lcom_err"
else
LIBS="$old_LIBS -L$try -lcom_err"
cat > conftest.$ac_ext <<EOF
-#line 1316 "configure"
+#line 1330 "configure"
#include "confdefs.h"
extern char set_com_err_hook();
int main() {
set_com_err_hook()
; return 0; }
EOF
-if { (eval echo configure:1323: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1337: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
smart_lib="-L$try -lcom_err"
else
sm_lib_safe=`echo "krb5" | sed 'y%./+-%__p_%'`
sm_func_safe=`echo "krb5_init_context" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for krb5_init_context in -lkrb5""... $ac_c" 1>&6
-echo "configure:1356: checking for krb5_init_context in -lkrb5" >&5
+echo "configure:1370: checking for krb5_init_context in -lkrb5" >&5
smart_lib=
smart_lib_dir=
old_LIBS="$LIBS"
LIBS="$LIBS -lkrb5"
cat > conftest.$ac_ext <<EOF
-#line 1364 "configure"
+#line 1378 "configure"
#include "confdefs.h"
extern char krb5_init_context();
int main() {
krb5_init_context()
; return 0; }
EOF
-if { (eval echo configure:1371: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1385: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
smart_lib="-lkrb5"
else
LIBS="$old_LIBS -L$try -lkrb5"
cat > conftest.$ac_ext <<EOF
-#line 1440 "configure"
+#line 1454 "configure"
#include "confdefs.h"
extern char krb5_init_context();
int main() {
krb5_init_context()
; return 0; }
EOF
-if { (eval echo configure:1447: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1461: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
smart_lib="-L$try -lkrb5"
else
fi
krb5_ldflags=$SMART_LIBS
-krb5_cflags=$SMART_CFLAGS
+krb5_cflags="${krb5_h_cflags} $SMART_CFLAGS"
#include <krb5.h>
#include <com_err.h>
+#ifndef HEIMDAL_KRB5
static int verify_krb5_tgt(krb5_context context, const char *user,
krb5_ccache ccache)
{
krb5_free_data_contents(context, &packet);
return r;
}
+#endif
/* instantiate */
static int krb5_instantiate(CONF_SECTION *conf, void **instance)
}
/* validate userid/passwd */
+/* MIT case */
+#ifndef HEIMDAL_KRB5
static int krb5_auth(void *instance, REQUEST *request)
{
int r;
+
krb5_data tgtname = {
0,
KRB5_TGS_NAME_SIZE,
krb5_creds kcreds;
krb5_ccache ccache;
char cache_name[L_tmpnam + 8];
+
krb5_context context = *(krb5_context *) instance; /* copy data */
const char *user, *pass;
return RLM_MODULE_REJECT;
}
+ /*
+ * MIT krb5 verification
+ */
if ( (r = krb5_build_principal_ext(context, &kcreds.server,
krb5_princ_realm(context, kcreds.client)->length,
krb5_princ_realm(context, kcreds.client)->data,
return RLM_MODULE_REJECT;
}
+#else /* HEIMDAL_KRB5 */
+
+/* validate user/pass, heimdal krb5 way */
+static int krb5_auth(void *instance, REQUEST *request)
+{
+ int r;
+ krb5_error_code ret;
+ krb5_ccache id;
+ krb5_principal userP;
+
+ krb5_context context = *(krb5_context *) instance; /* copy data */
+ const char *user, *pass;
+
+ /*
+ * We can only authenticate user requests which HAVE
+ * a User-Name attribute.
+ */
+ if (!request->username) {
+ radlog(L_AUTH, "rlm_krb5: Attribute \"User-Name\" is required for authentication.");
+ return RLM_MODULE_INVALID;
+ }
+
+ /*
+ * We can only authenticate user requests which HAVE
+ * a User-Password attribute.
+ */
+ if (!request->password) {
+ radlog(L_AUTH, "rlm_krb5: Attribute \"User-Password\" is required for authentication.");
+ return RLM_MODULE_INVALID;
+ }
+
+ /*
+ * Ensure that we're being passed a plain-text password,
+ * and not anything else.
+ */
+ if (request->password->attribute != PW_PASSWORD) {
+ radlog(L_AUTH, "rlm_krb5: Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
+ return RLM_MODULE_INVALID;
+ }
+
+ /*
+ * shortcuts
+ */
+ user = request->username->strvalue;
+ pass = request->password->strvalue;
+
+ if ( (r = krb5_parse_name(context, user, &userP)) ) {
+ radlog(L_AUTH, "rlm_krb5: [%s] krb5_parse_name failed: %s",
+ user, error_message(r));
+ return RLM_MODULE_REJECT;
+ }
+
+ /*
+ * Heimdal krb5 verification
+ */
+ radlog(L_AUTH, "rlm_krb5: Parsed name is: %s@%s\n",
+ *userP->name.name_string.val,
+ userP->realm);
+
+ krb5_cc_default(context, &id);
+
+ ret = krb5_verify_user(context,
+ userP,
+ id,
+ pass, 1, "radius");
+
+ if (ret == 0)
+ return RLM_MODULE_OK;
+
+ radlog(L_AUTH, "rlm_krb5: failed verify_user: %s (%s@%s )",
+ error_message(ret),
+ *userP->name.name_string.val,
+ userP->realm);
+
+ return RLM_MODULE_REJECT;
+}
+
+#endif /* HEIMDAL_KRB5 */
+
module_t rlm_krb5 = {
"Kerberos",
RLM_TYPE_THREAD_UNSAFE, /* type: not thread safe */
NULL, /* authorize */
NULL, /* pre-accounting */
NULL, /* accounting */
- NULL, /* checksimul */
- NULL, /* pre-proxy */
- NULL, /* post-proxy */
- NULL /* post-auth */
+ NULL /* checksimul */
},
krb5_detach, /* detach */
NULL, /* destroy */