Attached is an updated patch. The usage of syslog has been removed and
the text of the error message improved and the error referred to in #2
has been uncommented. Additionally, I added a check on the return value
of krb5_parse_name() in case that call fails.
The credit for this feature goes to Matt Benjamin here at the Linuxbox.
I am only the middleman getting it contributed back.
Thanks again,
Jason
Jason Noble wrote:
Thanks for the quick response Andrew. I'll make the requested changes,
ensure it builds properly and re-submit shortly.
--Jason
Andrew Mortensen wrote:
On Aug 5, 2009, at 12:00 PM, Jason Noble wrote:
While recently seting up a Cosign installation, we needed to
explicitly set the Kerberos principal Cosign uses. The attached
patch allows the configuration variable "cosignprincipal" in
cosign.conf to set the principal Cosign will use to authenticate to
Kerberos as. We thought this may be helpful to other users as well,
so are giving it to the community. The patch was created against
v3.0.2.
This is reasonable. A couple things:
1) There's no need to use syslog. Use fprintf to stderr instead, and
Apache will dump the output to its error log.
2) Why is the error message commented out if the
krb5_verify_init_creds call fails? This looks like the remnants of
some debugging while you were testing your patch. Adding an fprintf to
log when krb5_verify_init_creds fails is just fine; what you've got
stuck in that block isn't.
Clean these things up, and I'll commit it. Thanks for supporting cosign!
andrew
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Cosign-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
diff --git a/cgi/login.c b/cgi/login.c
index 251d534..8c53335 100644
--- a/cgi/login.c
+++ b/cgi/login.c
@@ -36,6 +36,7 @@
#ifdef KRB
static char *keytab_path = _KEYTAB_PATH;
static char *ticket_path = _COSIGN_TICKET_CACHE;
+static char *cosign_princ = NULL;
#endif /* KRB */
extern char *cosign_host, *cosign_conf;
@@ -79,6 +80,9 @@ lcgi_configure()
if (( val = cosign_config_get( COSIGNTICKKEY )) != NULL ) {
ticket_path = val;
}
+ if (( val = cosign_config_get( COSIGNPRINCIPALKEY )) != NULL ) {
+ cosign_princ = val;
+ }
# endif /* KRB */
# ifdef SQL_FRIEND
@@ -326,12 +330,21 @@ cosign_login_krb5( struct connlist *head, char *cosignname, char *id,
exit( 0 );
}
- if (( kerror = krb5_sname_to_principal( kcontext, NULL, "cosign",
- KRB5_NT_SRV_HST, &sprinc )) != 0 ) {
+ if (cosign_princ) {
+ if ((kerror = krb5_parse_name( kcontext, cosign_princ, &sprinc ) != 0 )) {
+ sl[ SL_ERROR ].sl_data = (char *)error_message( kerror );
+ sl[ SL_TITLE ].sl_data = "Server Principal Error";
+ subfile( tmpl, sl, 0 );
+ exit( 0 );
+ }
+ } else {
+ if (( kerror = krb5_sname_to_principal( kcontext, NULL,
+ "cosign", KRB5_NT_SRV_HST, &sprinc )) != 0 ) {
sl[ SL_ERROR ].sl_data = (char *)error_message( kerror );
sl[ SL_TITLE ].sl_data = "Server Principal Error";
subfile( tmpl, sl, 0 );
exit( 0 );
+ }
}
if (( kerror = krb5_verify_init_creds(
@@ -339,6 +352,11 @@ cosign_login_krb5( struct connlist *head, char *cosignname, char *id,
sl[ SL_ERROR ].sl_data = (char *)error_message( kerror );
sl[ SL_TITLE ].sl_data = "Ticket Verify Error";
subfile( tmpl, sl, 0 );
+ int code;
+ char *name;
+ code = krb5_unparse_name( kcontext, sprinc, &name);
+ fprintf( stderr, "Ticket Verify Error for principal: %s\n", name);
+ free(name);
krb5_free_principal( kcontext, sprinc );
exit( 0 );
}
diff --git a/common/config.h b/common/config.h
index 37629bf..d5ffd64 100644
--- a/common/config.h
+++ b/common/config.h
@@ -67,6 +67,7 @@ struct matchlist {
#define COSIGNTMPLDIRKEY "cosigntmpldir"
#define COSIGNHOSTKEY "cosignhost"
#define COSIGNKEYTABKEY "cosignkeytab"
+#define COSIGNPRINCIPALKEY "cosignprincipal"
#define COSIGNLOGOUTURLKEY "cosignlogouturl"
#define COSIGNTIMEOUTKEY "cosignnettimeout"
#define COSIGNPORTKEY "cosignport"
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Cosign-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
