X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=src%2Fmod_auth_gssapi.c;h=c1cb068820bb01f15d16b04b6aa5b867047edb92;hp=db87c106f42c46171416b629bc8c52aac13b9c9a;hb=604ffd0c49a6541cec07d0e4aac1fea02408f15b;hpb=3effbe272147674cf92c13b387373a60f2cbbacf diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index db87c10..c1cb068 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -30,8 +30,6 @@ module AP_MODULE_DECLARE_DATA auth_gssapi_module; APLOG_USE_MODULE(auth_gssapi); -APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); - static char *mag_status(request_rec *req, int type, uint32_t err) { uint32_t maj_ret, min_ret; @@ -91,7 +89,6 @@ static int mag_pre_connection(conn_rec *c, void *csd) struct mag_conn *mc; mc = apr_pcalloc(c->pool, sizeof(struct mag_conn)); - if (!mc) return DECLINED; mc->parent = c->pool; ap_set_module_config(c->conn_config, &auth_gssapi_module, (void*)mc); @@ -119,6 +116,41 @@ static bool mag_conn_is_https(conn_rec *c) return false; } +static char *escape(apr_pool_t *pool, const char *name, + char find, const char *replace) +{ + char *escaped = NULL; + char *namecopy; + char *n; + char *p; + + namecopy = apr_pstrdup(pool, name); + + p = strchr(namecopy, find); + if (!p) return namecopy; + + /* first segment */ + n = namecopy; + while (p) { + /* terminate previous segment */ + *p = '\0'; + if (escaped) { + escaped = apr_pstrcat(pool, escaped, n, replace, NULL); + } else { + escaped = apr_pstrcat(pool, n, replace, NULL); + } + /* move to next segment */ + n = p + 1; + p = strchr(n, find); + } + /* append last segment if any */ + if (*n) { + escaped = apr_pstrcat(pool, escaped, n, NULL); + } + + return escaped; +} + static void mag_store_deleg_creds(request_rec *req, char *dir, char *clientname, gss_cred_id_t delegated_cred, @@ -128,13 +160,18 @@ static void mag_store_deleg_creds(request_rec *req, gss_key_value_set_desc store; char *value; uint32_t maj, min; + char *escaped; - value = apr_psprintf(req->pool, "FILE:%s/%s", dir, clientname); - if (!value) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL, - "OOM storing delegated credentials"); - return; - } + /* We need to escape away '/', we can't have path separators in + * a ccache file name */ + /* first double escape the esacping char (~) if any */ + escaped = escape(req->pool, clientname, '~', "~~"); + if (!escaped) return; + /* then escape away the separator (/) if any */ + escaped = escape(req->pool, escaped, '/', "~"); + if (!escaped) return; + + value = apr_psprintf(req->pool, "FILE:%s/%s", dir, escaped); element.key = "ccache"; element.value = value; @@ -144,7 +181,7 @@ static void mag_store_deleg_creds(request_rec *req, maj = gss_store_cred_into(&min, delegated_cred, GSS_C_INITIATE, GSS_C_NULL_OID, 1, 1, &store, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "failed to store delegated creds", maj, min)); } @@ -169,6 +206,7 @@ static int mag_auth(request_rec *req) gss_name_t client = GSS_C_NO_NAME; gss_cred_id_t user_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL; + gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL; gss_cred_usage_t cred_usage = GSS_C_ACCEPT; uint32_t flags; @@ -185,24 +223,51 @@ static int mag_auth(request_rec *req) gss_name_t server = GSS_C_NO_NAME; #ifdef HAVE_GSS_KRB5_CCACHE_NAME const char *user_ccache = NULL; - char *orig_ccache = NULL; + const char *orig_ccache = NULL; #endif + uint32_t init_flags = 0; + time_t expiration; type = ap_auth_type(req); if ((type == NULL) || (strcasecmp(type, "GSSAPI") != 0)) { return DECLINED; } - /* ignore auth for subrequests */ + cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); + + /* implicit auth for subrequests if main auth already happened */ if (!ap_is_initial_req(req)) { - return OK; + type = ap_auth_type(req->main); + if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) { + /* warn if the subrequest location and the main request + * location have different configs */ + if (cfg != ap_get_module_config(req->main->per_dir_config, + &auth_gssapi_module)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, + req, "Subrequest authentication bypass on " + "location with different configuration!"); + } + if (req->main->user) { + req->user = apr_pstrdup(req->pool, req->main->user); + return OK; + } else { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "The main request is tasked to establish the " + "security context, can't proceed!"); + return HTTP_UNAUTHORIZED; + } + } else { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, + "Subrequest GSSAPI auth with no auth on the main " + "request. This operation may fail if other " + "subrequests already established a context or the " + "mechanism requires multiple roundtrips."); + } } - cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); - if (cfg->ssl_only) { if (!mag_conn_is_https(req->connection)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Not a TLS connection, refusing to authenticate!"); goto done; } @@ -213,7 +278,7 @@ static int mag_auth(request_rec *req) req->connection->conn_config, &auth_gssapi_module); if (!mc) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "Failed to retrieve connection context!"); goto done; } @@ -231,9 +296,12 @@ static int mag_auth(request_rec *req) mag_conn_destroy, mc->parent); if (mc->established) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "Already established context found!"); apr_table_set(req->subprocess_env, "GSS_NAME", mc->gss_name); + apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION", + apr_psprintf(req->pool, + "%ld", (long)mc->expiration)); req->ap_auth_type = apr_pstrdup(req->pool, mc->auth_type); req->user = apr_pstrdup(req->pool, mc->user_name); ret = OK; @@ -274,7 +342,7 @@ static int mag_auth(request_rec *req) if (!ba_user.value) goto done; if (((char *)ba_user.value)[0] == '\0' || ((char *)ba_pwd.value)[0] == '\0') { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Invalid empty user or password for Basic Auth"); goto done; } @@ -282,7 +350,7 @@ static int mag_auth(request_rec *req) ba_pwd.length = strlen(ba_pwd.value); maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &client); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "In Basic Auth, %s", mag_error(req, "gss_import_name() failed", maj, min)); @@ -296,15 +364,14 @@ static int mag_auth(request_rec *req) rs = apr_generate_random_bytes((unsigned char *)(&rndname), sizeof(long long unsigned int)); if (rs != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Failed to generate random ccache name"); goto done; } user_ccache = apr_psprintf(req->pool, "MEMORY:user_%qu", rndname); - maj = gss_krb5_ccache_name(&min, user_ccache, - (const char **)&orig_ccache); + maj = gss_krb5_ccache_name(&min, user_ccache, &orig_ccache); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "In Basic Auth, %s", mag_error(req, "gss_krb5_ccache_name() " "failed", maj, min)); @@ -317,7 +384,7 @@ static int mag_auth(request_rec *req) GSS_C_INITIATE, &user_cred, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "In Basic Auth, %s", mag_error(req, "gss_acquire_cred_with_password() " "failed", maj, min)); @@ -340,7 +407,7 @@ static int mag_auth(request_rec *req) cfg->cred_store, &acquired_cred, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_acquire_cred_from() failed", maj, min)); goto done; @@ -355,27 +422,62 @@ static int mag_auth(request_rec *req) GSS_C_NO_OID_SET, cred_usage, &acquired_cred, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_acquire_cred_from()" " failed", maj, min)); goto done; } } - maj = gss_inquire_cred(&min, acquired_cred, &server, + if (cred_usage == GSS_C_BOTH) { + /* If GSS_C_BOTH is used then inquire_cred will return the client + * name instead of the SPN of the server credentials. Therefore we + * need to acquire a different set of credential setting + * GSS_C_ACCEPT explicitly */ + if (cfg->cred_store) { + maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME, + GSS_C_INDEFINITE, GSS_C_NO_OID_SET, + GSS_C_ACCEPT, cfg->cred_store, + &server_cred, NULL, NULL); + } else { + /* Try to acquire default creds */ + maj = gss_acquire_cred(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE, + GSS_C_NO_OID_SET, GSS_C_ACCEPT, + &server_cred, NULL, NULL); + } + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", + mag_error(req, "gss_acquire_cred[_from]() " + "failed to get server creds", + maj, min)); + goto done; + } + } else { + server_cred = acquired_cred; + } + maj = gss_inquire_cred(&min, server_cred, &server, NULL, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_inquired_cred_() " "failed", maj, min)); goto done; } + if (server_cred != acquired_cred) { + gss_release_cred(&min, &server_cred); + } + + if (cfg->deleg_ccache_dir) { + /* delegate ourselves credentials so we store them as requested */ + init_flags |= GSS_C_DELEG_FLAG; + } + /* output and input are inverted here, this is intentional */ maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, - GSS_C_NO_OID, 0, 300, + GSS_C_NO_OID, init_flags, 300, GSS_C_NO_CHANNEL_BINDINGS, &output, NULL, &input, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_init_sec_context() " "failed", maj, min)); goto done; @@ -387,7 +489,7 @@ static int mag_auth(request_rec *req) &client, &mech_type, &output, &flags, &vtime, &delegated_cred); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_accept_sec_context() failed", maj, min)); goto done; @@ -397,11 +499,11 @@ static int mag_auth(request_rec *req) gss_release_buffer(&min, &input); /* output and input are inverted here, this is intentional */ maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, - GSS_C_NO_OID, 0, 300, + GSS_C_NO_OID, init_flags, 300, GSS_C_NO_CHANNEL_BINDINGS, &output, NULL, &input, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_init_sec_context() " "failed", maj, min)); goto done; @@ -412,7 +514,7 @@ static int mag_auth(request_rec *req) &client, &mech_type, &output, &flags, &vtime, &delegated_cred); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_accept_sec_context()" " failed", maj, min)); goto done; @@ -420,7 +522,7 @@ static int mag_auth(request_rec *req) } } else if (maj == GSS_S_CONTINUE_NEEDED) { if (!mc) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Mechanism needs continuation but neither " "GssapiConnectionBound nor " "GssapiUseSessions are available"); @@ -435,13 +537,16 @@ static int mag_auth(request_rec *req) /* Always set the GSS name in an env var */ maj = gss_display_name(&min, client, &name, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_display_name() failed", maj, min)); goto done; } clientname = apr_pstrndup(req->pool, name.value, name.length); apr_table_set(req->subprocess_env, "GSS_NAME", clientname); + expiration = time(NULL) + vtime; + apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION", + apr_psprintf(req->pool, "%ld", (long)expiration)); #ifdef HAVE_GSS_STORE_CRED_INTO if (cfg->deleg_ccache_dir && delegated_cred != GSS_C_NO_CREDENTIAL) { @@ -459,7 +564,7 @@ static int mag_auth(request_rec *req) if (cfg->map_to_local) { maj = gss_localname(&min, client, mech_type, &lname); if (maj != GSS_S_COMPLETE) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_localname() failed", maj, min)); goto done; } @@ -475,49 +580,49 @@ static int mag_auth(request_rec *req) if (vtime == GSS_C_INDEFINITE || vtime < MIN_SESS_EXP_TIME) { vtime = MIN_SESS_EXP_TIME; } - mc->expiration = time(NULL) + vtime; + mc->expiration = expiration; if (cfg->use_sessions) { mag_attempt_session(req, cfg, mc); } mc->auth_type = auth_type; } + if (cfg->send_persist) + apr_table_set(req->headers_out, "Persistent-Auth", + cfg->gss_conn_ctx ? "true" : "false"); + ret = OK; done: - if (ret == HTTP_UNAUTHORIZED) { - if (output.length != 0) { - replen = apr_base64_encode_len(output.length) + 1; - reply = apr_pcalloc(req->pool, 10 + replen); - if (reply) { - memcpy(reply, "Negotiate ", 10); - apr_base64_encode(&reply[10], output.value, output.length); - apr_table_add(req->err_headers_out, - "WWW-Authenticate", reply); - } - } else { + if ((!is_basic) && (output.length != 0)) { + replen = apr_base64_encode_len(output.length) + 1; + reply = apr_pcalloc(req->pool, 10 + replen); + if (reply) { + memcpy(reply, "Negotiate ", 10); + apr_base64_encode(&reply[10], output.value, output.length); apr_table_add(req->err_headers_out, - "WWW-Authenticate", "Negotiate"); - if (cfg->use_basic_auth) { - apr_table_add(req->err_headers_out, - "WWW-Authenticate", - apr_psprintf(req->pool, "Basic realm=\"%s\"", - ap_auth_name(req))); - } + "WWW-Authenticate", reply); + } + } else if (ret == HTTP_UNAUTHORIZED) { + apr_table_add(req->err_headers_out, + "WWW-Authenticate", "Negotiate"); + if (cfg->use_basic_auth) { + apr_table_add(req->err_headers_out, + "WWW-Authenticate", + apr_psprintf(req->pool, "Basic realm=\"%s\"", + ap_auth_name(req))); } } #ifdef HAVE_GSS_KRB5_CCACHE_NAME if (user_ccache != NULL) { maj = gss_krb5_ccache_name(&min, orig_ccache, NULL); if (maj != GSS_S_COMPLETE) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Failed to restore per-thread ccache, %s", mag_error(req, "gss_krb5_ccache_name() " "failed", maj, min)); } } - free(orig_ccache); - orig_ccache = NULL; #endif gss_delete_sec_context(&min, &user_ctx, &output); gss_release_cred(&min, &user_cred); @@ -537,7 +642,6 @@ static void *mag_create_dir_config(apr_pool_t *p, char *dir) struct mag_config *cfg; cfg = (struct mag_config *)apr_pcalloc(p, sizeof(struct mag_config)); - if (!cfg) return NULL; cfg->pool = p; return cfg; @@ -564,6 +668,13 @@ static const char *mag_conn_ctx(cmd_parms *parms, void *mconfig, int on) return NULL; } +static const char *mag_send_persist(cmd_parms *parms, void *mconfig, int on) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + cfg->send_persist = on ? true : false; + return NULL; +} + static const char *mag_use_sess(cmd_parms *parms, void *mconfig, int on) { struct mag_config *cfg = (struct mag_config *)mconfig; @@ -578,10 +689,6 @@ static const char *mag_use_s4u2p(cmd_parms *parms, void *mconfig, int on) if (cfg->deleg_ccache_dir == NULL) { cfg->deleg_ccache_dir = apr_pstrdup(parms->pool, "/tmp"); - if (!cfg->deleg_ccache_dir) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, - parms->server, "%s", "OOM setting deleg_ccache_dir."); - } } return NULL; } @@ -596,7 +703,7 @@ static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w) int l; if (strncmp(w, "key:", 4) != 0) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, "Invalid key format, expected prefix 'key:'"); return NULL; } @@ -604,24 +711,19 @@ static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w) l = apr_base64_decode_len(k); val = apr_palloc(parms->temp_pool, l); - if (!val) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, - "Failed to get memory to decode key"); - return NULL; - } keys.length = (int)apr_base64_decode_binary(val, k); keys.value = (unsigned char *)val; if (keys.length != 32) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, - "Invalid key lenght, expected 32 got %d", keys.length); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "Invalid key length, expected 32 got %d", keys.length); return NULL; } rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, &keys); if (rc != OK) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, "Failed to import sealing key!"); } return NULL; @@ -642,40 +744,26 @@ static const char *mag_cred_store(cmd_parms *parms, void *mconfig, p = strchr(w, ':'); if (!p) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, "%s [%s]", "Invalid syntax for GssapiCredStore option", w); return NULL; } key = apr_pstrndup(parms->pool, w, (p-w)); value = apr_pstrdup(parms->pool, p + 1); - if (!key || !value) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, - "%s", "OOM handling GssapiCredStore option"); - return NULL; - } if (!cfg->cred_store) { cfg->cred_store = apr_pcalloc(parms->pool, sizeof(gss_key_value_set_desc)); - if (!cfg->cred_store) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, - "%s", "OOM handling GssapiCredStore option"); - return NULL; - } size = sizeof(gss_key_value_element_desc) * MAX_CRED_OPTIONS; cfg->cred_store->elements = apr_palloc(parms->pool, size); - if (!cfg->cred_store->elements) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, - "%s", "OOM handling GssapiCredStore option"); - } } elements = cfg->cred_store->elements; count = cfg->cred_store->count; if (count >= MAX_CRED_OPTIONS) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, "Too many GssapiCredStore options (MAX: %d)", MAX_CRED_OPTIONS); return NULL; @@ -694,10 +782,6 @@ static const char *mag_deleg_ccache_dir(cmd_parms *parms, void *mconfig, struct mag_config *cfg = (struct mag_config *)mconfig; cfg->deleg_ccache_dir = apr_pstrdup(parms->pool, value); - if (!cfg->deleg_ccache_dir) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, - "%s", "OOM handling GssapiDelegCcacheDir option"); - } return NULL; } @@ -717,6 +801,8 @@ static const command_rec mag_commands[] = { "Translate principals to local names"), AP_INIT_FLAG("GssapiConnectionBound", mag_conn_ctx, NULL, OR_AUTHCFG, "Authentication is bound to the TCP connection"), + AP_INIT_FLAG("GssapiSignalPersistentAuth", mag_send_persist, NULL, OR_AUTHCFG, + "Send Persitent-Auth header according to connection bound"), AP_INIT_FLAG("GssapiUseSessions", mag_use_sess, NULL, OR_AUTHCFG, "Authentication uses mod_sessions to hold status"), AP_INIT_RAW_ARGS("GssapiSessionKey", mag_sess_key, NULL, OR_AUTHCFG,