Cleanup s4u2proxy in mag_auth_basic It doesn't have any effect since we set GSS_C_DELEG_FLAG when we initiate client credentials so we always get delegated TGT regardless of constrained delegation. This commit is not intended to change the current behaviour. See #70 Reviewed-by: Simo Sorce <simo@redhat.com> Closes #70 Closes #72
Add option to not send a Negotiate headers If negotiation was attempted but failed do not send a new Negotiate header. Useful when only one single sign on mechanism is allowed and to avoid misleading login prompts in some browsers. Added a test of the GssapiDontReauth option to the test suite. Also added SPNEGO no auth test. [SS: reworded and fixed commit subject/comment] [SS: fixed whitespace errors and 80 column wrappings] Reviewed-by: Simo Sorce <simo@redhat.com> Close #65
Fix potential loop when requesting attribute data. If this function fail we are better off abandoning the whole quest, continueing here may end us up in an infinite loop where the fucntion keeps failing w/o changing attr.more Thanks to Alejandro Perez for finding this flaw. Signed-off-by: Simo Sorce <simo@redhat.com>
Add code to set attribute names in the environment This code allows to specify which attributes in a name are interesting to the application and set them as named environemnt variables. Optionally the whole set of attributes can be exported in a json formatted structure. Signed-off-by: Simo Sorce <simo@redhat.com> Close #62 Close #63
Allow building without NTLMSSP support If gssapi/gssapi_ntlmssp.h is not available simply disable NTLMSSP. Coauthored Signed-off-by: Dennis Schridde <dennis.schridde@uni-heidelberg.de> Signed-off-by: Simo Sorce <simo@redhat.com> Closes #52 Closes #53 Closes #54
Add test for Proxy SPNEGO auth Add appropairate authorization headers to test with SPNEGO too as discussed in #48 Requires recent version of python-gssapi module, see: https://github.com/pythongssapi/python-gssapi/pull/74 Simo: Squashed original patches in one, removed trailing whitespaces and reworded the commit message. Reviewed-by: Simo Sorce <simo@redhat.com> Closes #49
Do not use /tmp as default for s4u2proxy The /tmp directory can lead to bugs and DoS of the apache process because any user on the system can block the creation of predictable file names. Simply error out if GssapiDelegCcacheDir is not explicitly set. Signed-off-by: Simo Sorce <simo@redhat.com>