accepted patch [ 1809998 ] "Accept any incoming credential in keytab" with some minor...

diff --git a/README b/README
index 4303e80..0906b7c 100644 (file)
--- a/README
+++ b/README
@@ -66,6 +66,8 @@ KrbServiceName server_principal
    is used. The FQDN part can contain any hostname and can be used to work
    around problems with misconfigured DNS. A corresponding key of this name
    must be stored in the keytab.
+   If this option is set to 'Any', then any prinicpal from the keytab which
+   matches the client's request may be used.
 
 Krb4Srvtab /path/to/srvtab
    This option takes one argument, specifying the path to the Kerberos V4

diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
index 587e930..3f3a3fb 100644 (file)
--- a/src/mod_auth_kerb.c
+++ b/src/mod_auth_kerb.c
@@ -897,6 +897,10 @@ authenticate_user_krb5pwd(request_rec *r,
    int             all_principals_unkown;
    char            *p = NULL;
 
+   //temporary fix for KrbServiceName Any
+   if (conf->krb_service_name && strcmp(conf->krb_service_name,"Any") == 0)
+      snprintf(conf->krb_service_name, 5,"%s","HTTP");
+
    code = krb5_init_context(&kcontext);
    if (code) {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
@@ -1154,6 +1158,10 @@ get_gss_creds(request_rec *r,
    have_server_princ = conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL;
    if (have_server_princ)
       strncpy(buf, conf->krb_service_name, sizeof(buf));
+   else if (conf->krb_service_name && strcmp(conf->krb_service_name,"Any") == 0) {      
+      *server_creds = GSS_C_NO_CREDENTIAL;
+      return 0;
+   }
    else
       snprintf(buf, sizeof(buf), "%s@%s",
               (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME,