+2002-09-06 Daniel Henninger <daniel@ncsu.edu>
+
+ * apache1/auth_cmds.c:
+ * apache1/auth_config.h:
+ * apache2/auth_cmds.c:
+ * apache2/auth_config.h:
+ Added all of the options I currently forsee supporting.
+
2002-09-05 Daniel Henninger <daniel@ncsu.edu>
* apache1/module.c:
-- Save Creds/Tickets
+* Save Creds/Tickets
Retrieve and store krbtgt and set env variable of file path.
- Cleanup Daemon
Maybe write some little cleanup daemon to clean up ticket files.
-- Set Path for Storage of Temp Files
+* Set Path for Storage of Temp Files
Storage of ticket files, and maybe others at some point.
- Verify Krb5 Ticket
Currently www/hostname.
Can I do this with Krb4?
+ Yes apparently! See bug report from Ken Raeburn.
-- Ability to Set Realm in Config
+* Ability to Set Realm in Config
Not compiled in anymore.
Maybe some form of multiple realms specifiable?
-- Settable Location of Keytab/Srvtab
+* Settable Location of Keytab/Srvtab
Again, in config instead of compiled in.
-- Lifetime Settable
+* Lifetime Settable
Set lifetime of tickets in config.
-- Default Instance
+* Default Instance
You can make it so that 'by default', a user's daniel/root or
daniel/www instance is auth'd against instead of just daniel.
+- Require Instance
+ We'll allow for a 'require instance ......'.
+
- Any Instance
Allow for specification of daniel/root or daniel/admin.
If off, only checks against defaultinstance instance.
+ require user daniel/root daniel daniel/admin
- Expire Reauth
Set a lifetime on tickets, and after expiration, tries to -force-
a reauth (brings up login/password window)
-- Forwardable/Renewable Tickets
+* Forwardable/Renewable Tickets
Setting in config.
- Browser Mutual Auth Support
"Permit Kerberos auth without AuthType requirement."
},
+#ifdef KRB4
+ {
+ "Krb4Srvtab",
+ ap_set_file_slot,
+ (void*)XtOffsetOf(kerb_auth_config, krb_4_srvtab),
+ RSRC_CONF & ACCESS_CONF,
+ TAKE1,
+ "Location of Kerberos V4 srvtab file."
+ },
+#endif /* KRB4 */
+
+#ifdef KRB5
+ {
+ "Krb5Keytab",
+ ap_set_file_slot,
+ (void*)XtOffsetOf(kerb_auth_config, krb_5_keytab),
+ RSRC_CONF & ACCESS_CONF,
+ TAKE1,
+ "Location of Kerberos V5 keytab file."
+ },
+#endif /* KRB5 */
+
+ {
+ "KrbAuthoritative",
+ ap_set_flag_slot,
+ (void*)XtOffsetOf(kerb_auth_config, krb_authoritative),
+ OR_AUTHCFG,
+ FLAG,
+ "Refuse to pass request down to lower modules."
+ },
+
+ {
+ "KrbDefaultRealm",
+ ap_set_string_slot,
+ (void*)XtOffsetOf(kerb_auth_config, krb_default_realm),
+ OR_AUTHCFG,
+ TAKE1,
+ "Default realm to authenticate users against."
+ },
+
{
"KrbFailStatus",
kerb_set_fail_slot,
},
{
- "KrbAuthoritative",
+ "KrbForceInstance",
+ ap_set_string_slot,
+ (void*)XtOffsetOf(kerb_auth_config, krb_force_instance),
+ OR_AUTHCFG,
+ TAKE1,
+ "Force authentication against an instance specified here."
+ },
+
+#ifdef KRB5
+ {
+ "KrbForwardable",
ap_set_flag_slot,
- (void*)XtOffsetOf(kerb_auth_config, krb_authoritative),
+ (void*)XtOffsetOf(kerb_auth_config, krb_forwardable),
OR_AUTHCFG,
FLAG,
- "Refuse to pass request down to lower modules."
+ "Credentials retrieved will be flagged as forwardable."
+ },
+#endif /* KRB5 */
+
+ {
+ "KrbLifetime",
+ ap_set_string_slot,
+ (void*)XtOffsetOf(kerb_auth_config, krb_lifetime),
+ OR_AUTHCFG,
+ TAKE1,
+ "Lifetime of tickets retrieved."
+ },
+
+#ifdef KRB5
+ {
+ "KrbRenewable",
+ ap_set_string_slot,
+ (void*)XtOffsetOf(kerb_auth_config, krb_renewable),
+ OR_AUTHCFG,
+ TAKE1,
+ "Credentials retrieved will be renewable for this length."
+ },
+#endif /* KRB5 */
+
+ {
+ "KrbSaveCredentials",
+ ap_set_flag_slot,
+ (void*)XtOffsetOf(kerb_auth_config, krb_save_credentials),
+ OR_AUTHCFG,
+ FLAG,
+ "Save and store credentials/tickets retrieved during auth."
+ },
+
+ {
+ "KrbSaveTickets",
+ ap_set_flag_slot,
+ (void*)XtOffsetOf(kerb_auth_config, krb_save_credentials),
+ OR_AUTHCFG,
+ FLAG,
+ "Alias for KrbSaveCredentials."
+ },
+
+ {
+ "KrbTmpdir",
+ ap_set_string_slot,
+ (void*)XtOffsetOf(kerb_auth_config, krb_tmp_dir),
+ OR_AUTHCFG,
+ TAKE1,
+ "Path to store ticket files and such in."
},
{ NULL }
typedef struct {
char *krb_auth_type;
- int krb_fail_status;
+#ifdef KRB4
+ char *krb_4_srvtab;
+#endif /* KRB4 */
+#ifdef KRB5
+ char *krb_5_keytab;
+#endif /* KRB5 */
int krb_authoritative;
+ char *krb_default_realm;
+ int krb_fail_status;
+ char *krb_force_instance;
+#ifdef KRB5
+ int krb_forwardable;
+#endif /* KRB5 */
+ char *krb_lifetime;
+#ifdef KRB5
+ char *krb_renewable;
+#endif /* KRB5 */
+ int krb_save_credentials;
+ char *krb_tmp_dir;
} kerb_auth_config;
"Permit Kerberos auth without AuthType requirement."
),
+#ifdef KRB4
+ AP_INIT_TAKE1(
+ "Krb4Srvtab",
+ ap_set_file_slot,
+ (void*)APR_XtOffsetOf(kerb_auth_config, krb_4_srvtab),
+ RSRC_CONF & ACCESS_CONF,
+ "Location of Kerberos V4 srvtab file."
+ ),
+#endif /* KRB4 */
+
+#ifdef KRB5
+ AP_INIT_TAKE1(
+ "Krb5Keytab",
+ ap_set_file_slot,
+ (void*)APR_XtOffsetOf(kerb_auth_config, krb_5_keytab),
+ RSRC_CONF & ACCESS_CONF,
+ "Location of Kerberos V5 keytab file."
+ ),
+#endif /* KRB5 */
+
+ AP_INIT_FLAG(
+ "KrbAuthoritative",
+ ap_set_flag_slot,
+ (void*)APR_XtOffsetOf(kerb_auth_config, krb_authoritative),
+ OR_AUTHCFG,
+ "Refuse to pass request down to lower modules."
+ ),
+
+ AP_INIT_TAKE1(
+ "KrbDefaultRealm",
+ ap_set_string_slot,
+ (void*)APR_XtOffsetOf(kerb_auth_config, krb_default_realm),
+ OR_AUTHCFG,
+ "Default realm to authenticate users against."
+ ),
+
AP_INIT_TAKE1(
"KrbFailStatus",
kerb_set_fail_slot,
"If auth fails, return status set here."
),
+ AP_INIT_TAKE1(
+ "KrbForceInstance",
+ ap_set_string_slot,
+ (void*)APR_XtOffsetOf(kerb_auth_config, krb_force_instance),
+ OR_AUTHCFG,
+ "Force authentication against an instance specified here."
+ ),
+
+#ifdef KRB5
AP_INIT_FLAG(
- "KrbAuthoritative",
+ "KrbForwardable",
ap_set_flag_slot,
- (void*)APR_XtOffsetOf(kerb_auth_config, krb_authoritative),
+ (void*)APR_XtOffsetOf(kerb_auth_config, krb_forwardable),
OR_AUTHCFG,
- "Refuse to pass request down to lower modules."
+ "Credentials retrieved will be flagged as forwardable."
+ ),
+#endif /* KRB5 */
+
+ AP_INIT_TAKE1(
+ "KrbLifetime",
+ ap_set_string_slot,
+ (void*)APR_XtOffsetOf(kerb_auth_config, krb_lifetime),
+ OR_AUTHCFG,
+ "Lifetime of tickets retrieved."
+ ),
+
+#ifdef KRB5
+ AP_INIT_TAKE1(
+ "KrbRenewable",
+ ap_set_string_slot,
+ (void*)APR_XtOffsetOf(kerb_auth_config, krb_renewable),
+ OR_AUTHCFG,
+ "Credentials retrieved will be renewable for this length."
+ ),
+#endif /* KRB5 */
+
+ AP_INIT_FLAG(
+ "KrbSaveCredentials",
+ ap_set_flag_slot,
+ (void*)APR_XtOffsetOf(kerb_auth_config, krb_save_credentials),
+ OR_AUTHCFG,
+ "Save and store credentials/tickets retrieved during auth."
+ ),
+
+ AP_INIT_FLAG(
+ "KrbSaveTickets",
+ ap_set_flag_slot,
+ (void*)APR_XtOffsetOf(kerb_auth_config, krb_save_credentials),
+ OR_AUTHCFG,
+ "Alias for KrbSaveCredentials."
+ ),
+
+ AP_INIT_TAKE1(
+ "KrbTmpdir",
+ ap_set_string_slot,
+ (void*)APR_XtOffsetOf(kerb_auth_config, krb_tmp_dir),
+ OR_AUTHCFG,
+ "Path to store ticket files and such in."
),
{ NULL }
typedef struct {
char *krb_auth_type;
- int krb_fail_status;
+#ifdef KRB4
+ char *krb_4_srvtab;
+#endif /* KRB4 */
+#ifdef KRB5
+ char *krb_5_keytab;
+#endif /* KRB5 */
int krb_authoritative;
+ char *krb_default_realm;
+ int krb_fail_status;
+ char *krb_force_instance;
+#ifdef KRB5
+ int krb_forwardable;
+#endif /* KRB5 */
+ char *krb_lifetime;
+#ifdef KRB5
+ char *krb_renewable;
+#endif /* KRB5 */
+ int krb_save_credentials;
+ char *krb_tmp_dir;
} kerb_auth_config;