X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=src%2Fmod_auth_gssapi.c;h=f2fab579b02a3ffb4db496a07451a3fd42975d9f;hp=7430962e606bdc22438b85a2e74a9bd4032318a0;hb=aa4f8f9c06eec26248f068f445fe2412cb6f467b;hpb=5401c93b3d84a58357ccf8321ffe165aabca8656

diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 7430962..f2fab57 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -24,9 +24,12 @@
 
 #include "mod_auth_gssapi.h"
 
+#define MOD_AUTH_GSSAPI_VERSION PACKAGE_NAME "/" PACKAGE_VERSION
 
 module AP_MODULE_DECLARE_DATA auth_gssapi_module;
 
+APLOG_USE_MODULE(auth_gssapi);
+
 APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
 
 static char *mag_status(request_rec *req, int type, uint32_t err)
@@ -78,6 +81,7 @@ static int mag_post_config(apr_pool_t *cfgpool, apr_pool_t *log,
     /* FIXME: create mutex to deal with connections and contexts ? */
     mag_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
     mag_post_config_session();
+    ap_add_version_component(cfgpool, MOD_AUTH_GSSAPI_VERSION);
 
     return OK;
 }
@@ -140,7 +144,7 @@ static void mag_store_deleg_creds(request_rec *req,
     maj = gss_store_cred_into(&min, delegated_cred, GSS_C_INITIATE,
                               GSS_C_NULL_OID, 1, 1, &store, NULL, NULL);
     if (GSS_ERROR(maj)) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+        ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s",
                       mag_error(req, "failed to store delegated creds",
                                 maj, min));
     }
@@ -164,6 +168,7 @@ static int mag_auth(request_rec *req)
     gss_name_t client = GSS_C_NO_NAME;
     gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL;
     gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
+    gss_cred_usage_t cred_usage = GSS_C_ACCEPT;
     uint32_t flags;
     uint32_t vtime;
     uint32_t maj, min;
@@ -206,7 +211,9 @@ static int mag_auth(request_rec *req)
     }
 
     /* if available, session always supersedes connection bound data */
-    mag_check_session(req, cfg, &mc);
+    if (cfg->use_sessions) {
+        mag_check_session(req, cfg, &mc);
+    }
 
     if (mc) {
         /* register the context in the memory pool, so it can be freed
@@ -245,12 +252,15 @@ static int mag_auth(request_rec *req)
 
 #ifdef HAVE_GSS_ACQUIRE_CRED_FROM
     if (cfg->use_s4u2proxy) {
+        cred_usage = GSS_C_BOTH;
+    }
+    if (cfg->cred_store) {
         maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME, 0,
-                                    GSS_C_NO_OID_SET, GSS_C_BOTH,
+                                    GSS_C_NO_OID_SET, cred_usage,
                                     cfg->cred_store, &acquired_cred,
                                     NULL, NULL);
         if (GSS_ERROR(maj)) {
-            ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+            ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s",
                           mag_error(req, "gss_acquire_cred_from() failed",
                                     maj, min));
             goto done;
@@ -263,7 +273,7 @@ static int mag_auth(request_rec *req)
                                  &client, &mech_type, &output, &flags, &vtime,
                                  &delegated_cred);
     if (GSS_ERROR(maj)) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+        ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s",
                       mag_error(req, "gss_accept_sec_context() failed",
                                 maj, min));
         goto done;
@@ -288,7 +298,7 @@ static int mag_auth(request_rec *req)
     /* Always set the GSS name in an env var */
     maj = gss_display_name(&min, client, &name, NULL);
     if (GSS_ERROR(maj)) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+        ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s",
                       mag_error(req, "gss_accept_sec_context() failed",
                                 maj, min));
         goto done;
@@ -312,7 +322,7 @@ static int mag_auth(request_rec *req)
     if (cfg->map_to_local) {
         maj = gss_localname(&min, client, mech_type, &lname);
         if (maj != GSS_S_COMPLETE) {
-            ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+            ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s",
                           mag_error(req, "gss_localname() failed", maj, min));
             goto done;
         }
@@ -329,7 +339,9 @@ static int mag_auth(request_rec *req)
             vtime = MIN_SESS_EXP_TIME;
         }
         mc->expiration = time(NULL) + vtime;
-        mag_attempt_session(req, cfg, mc);
+        if (cfg->use_sessions) {
+            mag_attempt_session(req, cfg, mc);
+        }
     }
 
     ret = OK;
@@ -533,7 +545,7 @@ static const command_rec mag_commands[] = {
     AP_INIT_FLAG("GssapiSSLonly", mag_ssl_only, NULL, OR_AUTHCFG,
                   "Work only if connection is SSL Secured"),
     AP_INIT_FLAG("GssapiLocalName", mag_map_to_local, NULL, OR_AUTHCFG,
-                  "Work only if connection is SSL Secured"),
+                  "Translate principals to local names"),
     AP_INIT_FLAG("GssapiConnectionBound", mag_conn_ctx, NULL, OR_AUTHCFG,
                   "Authentication is bound to the TCP connection"),
     AP_INIT_FLAG("GssapiUseSessions", mag_use_sess, NULL, OR_AUTHCFG,