From 60509195fb41173ba8e6cfac8bf800935ebb86ad Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 8 Mar 2014 14:23:28 -0500 Subject: [PATCH] Add option to map GSS Name to local Name Always preserves the received name in GSS_NAME. In the kereberos case this will result in the environment variable called GSS_NAME the user's principal, while REMOTE_USER will contain the user name as mapped by the kerberos library. --- src/mod_auth_gssapi.c | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 4e7e3dc..e6fb209 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -38,6 +38,7 @@ module AP_MODULE_DECLARE_DATA mag_module; struct mag_config { bool ssl_only; + bool map_to_local; gss_key_value_set_desc cred_store; }; @@ -100,6 +101,9 @@ static int mag_auth(request_rec *req) uint32_t maj, min; char *reply; size_t replen; + char *clientname; + gss_OID mech_type = GSS_C_NO_OID; + gss_buffer_desc lname = GSS_C_EMPTY_BUFFER; type = ap_auth_type(req); if ((type == NULL) || (strcasecmp(type, "GSSAPI") != 0)) { @@ -132,7 +136,7 @@ static int mag_auth(request_rec *req) * should work with Krb, will fail with NTLMSSP */ maj = gss_accept_sec_context(&min, &ctx, GSS_C_NO_CREDENTIAL, &input, GSS_C_NO_CHANNEL_BINDINGS, - &client, NULL, &output, &flags, NULL, + &client, &mech_type, &output, &flags, NULL, &delegated_cred); if (GSS_ERROR(maj)) { ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, @@ -170,7 +174,22 @@ static int mag_auth(request_rec *req) #endif req->ap_auth_type = apr_pstrdup(req->pool, "Negotiate"); - req->user = apr_pstrndup(req->pool, name.value, name.length); + + /* Always set the GSS name in an env var */ + clientname = apr_pstrndup(req->pool, name.value, name.length); + apr_table_set(req->subprocess_env, "GSS_NAME", clientname); + + if (cfg->map_to_local) { + maj = gss_localname(&min, client, mech_type, &lname); + if (maj != GSS_S_COMPLETE) { + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + mag_error(req, "gss_localname() failed", maj, min)); + goto done; + } + req->user = apr_pstrndup(req->pool, lname.value, lname.length); + } else { + req->user = clientname; + } ret = OK; done: @@ -182,6 +201,7 @@ done: gss_release_name(&min, &client); gss_release_buffer(&min, &name); gss_delete_sec_context(&min, &ctx, GSS_C_NO_BUFFER); + gss_release_buffer(&min, &lname); return ret; } @@ -203,6 +223,13 @@ static const char *mag_ssl_only(cmd_parms *parms, void *mconfig, int on) return NULL; } +static const char *mag_map_to_local(cmd_parms *parms, void *mconfig, int on) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + cfg->map_to_local = on ? true : false; + return NULL; +} + static const char *mag_cred_store(cmd_parms *parms, void *mconfig, const char *w) { @@ -252,6 +279,8 @@ static const char *mag_cred_store(cmd_parms *parms, void *mconfig, static const command_rec mag_commands[] = { AP_INIT_FLAG("GSSSSLOnly", mag_ssl_only, NULL, OR_AUTHCFG, "Work only if connection is SSL Secured"), + AP_INIT_FLAG("GSSLocalName", mag_map_to_local, NULL, OR_AUTHCFG, + "Work only if connection is SSL Secured"), AP_INIT_ITERATE("GSSCredStore", mag_cred_store, NULL, OR_AUTHCFG, "Credential Store"), { NULL } -- 2.1.4