Package: libapache2-mod-auth-kerb
Version: 5.4-1.1
Severity: important
Tags: squeeze patch
Hi,
I really need the option "KrbAppendRealm" to strip off the realm. Otherwise
it is not possible to check the group membership of the username using LDAP.
Simply readd the patch in "debian/patches/series" and use the refreshed version
supplied with this report.
Regards,
Markus
-- System Information:
Debian Release: 6.0
APT prefers squeeze-updates
APT policy: (500, 'squeeze-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libapache2-mod-auth-kerb depends on:
ii apache2.2-common 2.2.16-6 Apache HTTP Server common files
ii krb5-config 2.2 Configuration files for Kerberos V
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-2 common error description library
ii libgssapi-krb5-2 1.8.3+dfsg-4 MIT Kerberos runtime libraries - k
ii libk5crypto3 1.8.3+dfsg-4 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.8.3+dfsg-4 MIT Kerberos runtime libraries
libapache2-mod-auth-kerb recommends no packages.
libapache2-mod-auth-kerb suggests no packages.
-- no debconf information
Index: libapache-mod-auth-kerb-5.4/src/mod_auth_kerb.c
===================================================================
--- libapache-mod-auth-kerb-5.4.orig/src/mod_auth_kerb.c 2008-12-04 11:14:03.000000000 +0100
+++ libapache-mod-auth-kerb-5.4/src/mod_auth_kerb.c 2011-02-17 21:31:23.000000000 +0100
@@ -157,6 +157,7 @@
const char *krb_service_name;
int krb_authoritative;
int krb_delegate_basic;
+ int krb_append_realm;
#if 0
int krb_ssl_preauthentication;
#endif
@@ -220,6 +221,9 @@
command("KrbDelegateBasic", ap_set_flag_slot, krb_delegate_basic,
FLAG, "Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive."),
+ command("KrbAppendRealm", ap_set_flag_slot, krb_append_realm,
+ FLAG, "Append the realm name when setting $REMOTE_USER."),
+
#if 0
command("KrbEnableSSLPreauthentication", ap_set_flag_slot, krb_ssl_preauthentication,
FLAG, "Don't do Kerberos authentication if the user is already authenticated using SSL and her client certificate."),
@@ -325,6 +329,7 @@
((kerb_auth_config *)rec)->krb_service_name = NULL;
((kerb_auth_config *)rec)->krb_authoritative = 1;
((kerb_auth_config *)rec)->krb_delegate_basic = 0;
+ ((kerb_auth_config *)rec)->krb_append_realm = 1;
#if 0
((kerb_auth_config *)rec)->krb_ssl_preauthentication = 0;
#endif
@@ -524,7 +529,8 @@
user = apr_pstrdup(r->pool, sent_name);
if (sent_instance)
user = apr_pstrcat(r->pool, user, ".", sent_instance, NULL);
- user = apr_pstrcat(r->pool, user, "@", realm, NULL);
+ if (conf->krb_append_realm)
+ user = apr_pstrcat(r->pool, user, "@", realm, NULL);
MK_USER = user;
MK_AUTH_TYPE = "Basic";
@@ -1064,6 +1070,9 @@
MK_AUTH_TYPE = "Basic";
free(name);
+ if (!conf->krb_append_realm && (name = strchr(MK_USER, '@')))
+ *name = '\0';
+
if (conf->krb_save_credentials)
store_krb5_creds(kcontext, r, conf, ccache);
@@ -1327,6 +1336,7 @@
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;
OM_uint32 ret_flags = 0;
+ char *name = NULL;
*negotiate_ret_value = "\0";
@@ -1461,6 +1471,9 @@
MK_AUTH_TYPE = MECH_NEGOTIATE;
MK_USER = apr_pstrdup(r->pool, output_token.value);
+ if (!conf->krb_append_realm && (name = strchr(MK_USER, '@')))
+ *name = '\0';
+
if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
