From 0cea28e5b05b340bbb3b2b60e3a326a6a7d1fcb0 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 14 Apr 2015 13:52:05 -0400 Subject: [PATCH] Add support for delegate creds on basic auth When doing fallback basic auth, we may also want to honor the configured directive about storing delegated credentials. Detect if we are configured to store them and set the appopriate init_sec_context flag that will cause the accept_sec_context call to get valid delegated credentials for later storage. --- src/mod_auth_gssapi.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index e233110..b168dbf 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -239,6 +239,7 @@ static int mag_auth(request_rec *req) const char *user_ccache = NULL; const char *orig_ccache = NULL; #endif + uint32_t init_flags = 0; type = ap_auth_type(req); if ((type == NULL) || (strcasecmp(type, "GSSAPI") != 0)) { @@ -445,9 +446,15 @@ static int mag_auth(request_rec *req) "failed", maj, min)); goto done; } + + if (cfg->deleg_ccache_dir) { + /* delegate ourselves credentials so we store them as requested */ + init_flags |= GSS_C_DELEG_FLAG; + } + /* output and input are inverted here, this is intentional */ maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, - GSS_C_NO_OID, 0, 300, + GSS_C_NO_OID, init_flags, 300, GSS_C_NO_CHANNEL_BINDINGS, &output, NULL, &input, NULL, NULL); if (GSS_ERROR(maj)) { @@ -473,7 +480,7 @@ static int mag_auth(request_rec *req) gss_release_buffer(&min, &input); /* output and input are inverted here, this is intentional */ maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, - GSS_C_NO_OID, 0, 300, + GSS_C_NO_OID, init_flags, 300, GSS_C_NO_CHANNEL_BINDINGS, &output, NULL, &input, NULL, NULL); if (GSS_ERROR(maj)) { -- 2.1.4