#include "mod_auth_gssapi.h"
+#define MOD_AUTH_GSSAPI_VERSION PACKAGE_NAME "/" PACKAGE_VERSION
module AP_MODULE_DECLARE_DATA auth_gssapi_module;
+APLOG_USE_MODULE(auth_gssapi);
+
APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
static char *mag_status(request_rec *req, int type, uint32_t err)
/* FIXME: create mutex to deal with connections and contexts ? */
mag_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
mag_post_config_session();
+ ap_add_version_component(cfgpool, MOD_AUTH_GSSAPI_VERSION);
return OK;
}
maj = gss_store_cred_into(&min, delegated_cred, GSS_C_INITIATE,
GSS_C_NULL_OID, 1, 1, &store, NULL, NULL);
if (GSS_ERROR(maj)) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s",
mag_error(req, "failed to store delegated creds",
maj, min));
}
gss_name_t client = GSS_C_NO_NAME;
gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL;
gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
+ gss_cred_usage_t cred_usage = GSS_C_ACCEPT;
uint32_t flags;
uint32_t vtime;
uint32_t maj, min;
}
/* if available, session always supersedes connection bound data */
- mag_check_session(req, cfg, &mc);
+ if (cfg->use_sessions) {
+ mag_check_session(req, cfg, &mc);
+ }
if (mc) {
/* register the context in the memory pool, so it can be freed
#ifdef HAVE_GSS_ACQUIRE_CRED_FROM
if (cfg->use_s4u2proxy) {
+ cred_usage = GSS_C_BOTH;
+ }
+ if (cfg->cred_store) {
maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME, 0,
- GSS_C_NO_OID_SET, GSS_C_BOTH,
+ GSS_C_NO_OID_SET, cred_usage,
cfg->cred_store, &acquired_cred,
NULL, NULL);
if (GSS_ERROR(maj)) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s",
mag_error(req, "gss_acquire_cred_from() failed",
maj, min));
goto done;
&client, &mech_type, &output, &flags, &vtime,
&delegated_cred);
if (GSS_ERROR(maj)) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s",
mag_error(req, "gss_accept_sec_context() failed",
maj, min));
goto done;
/* Always set the GSS name in an env var */
maj = gss_display_name(&min, client, &name, NULL);
if (GSS_ERROR(maj)) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s",
mag_error(req, "gss_accept_sec_context() failed",
maj, min));
goto done;
if (cfg->map_to_local) {
maj = gss_localname(&min, client, mech_type, &lname);
if (maj != GSS_S_COMPLETE) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s",
mag_error(req, "gss_localname() failed", maj, min));
goto done;
}
vtime = MIN_SESS_EXP_TIME;
}
mc->expiration = time(NULL) + vtime;
- mag_attempt_session(req, cfg, mc);
+ if (cfg->use_sessions) {
+ mag_attempt_session(req, cfg, mc);
+ }
}
ret = OK;
AP_INIT_FLAG("GssapiSSLonly", mag_ssl_only, NULL, OR_AUTHCFG,
"Work only if connection is SSL Secured"),
AP_INIT_FLAG("GssapiLocalName", mag_map_to_local, NULL, OR_AUTHCFG,
- "Work only if connection is SSL Secured"),
+ "Translate principals to local names"),
AP_INIT_FLAG("GssapiConnectionBound", mag_conn_ctx, NULL, OR_AUTHCFG,
"Authentication is bound to the TCP connection"),
AP_INIT_FLAG("GssapiUseSessions", mag_use_sess, NULL, OR_AUTHCFG,