diff -Nur squid-3/acinclude/krb5.m4 squid-3-krb5/acinclude/krb5.m4 --- squid-3/acinclude/krb5.m4 2010-06-01 01:12:46.000000000 +0100 +++ squid-3-krb5/acinclude/krb5.m4 2010-06-05 13:16:50.000000000 +0100 @@ -104,23 +104,25 @@ AC_DEFUN([SQUID_CHECK_WORKING_GSSAPI], [ AC_CACHE_CHECK([for working gssapi], squid_cv_working_gssapi, [ AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#ifdef HAVE_HEIMDAL_KERBEROS #ifdef HAVE_GSSAPI_GSSAPI_H #include -#elif HAVE_GSSAPI_H +#elif defined(HAVE_GSSAPI_H) #include #endif - -#ifdef HAVE_GSSAPI_GSSAPI_EXT_H -#include +#else +#ifdef HAVE_GSSAPI_GSSAPI_H +#include +#elif defined(HAVE_GSSAPI_H) +#include #endif - #ifdef HAVE_GSSAPI_GSSAPI_KRB5_H #include #endif - #ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H #include #endif +#endif int main(void) { diff -Nur squid-3/configure.in squid-3-krb5/configure.in --- squid-3/configure.in 2010-06-01 01:13:25.000000000 +0100 +++ squid-3-krb5/configure.in 2010-06-05 13:16:50.000000000 +0100 @@ -1792,6 +1792,7 @@ AC_CHECK_LIB(krb5,krb5_get_error_message, AC_DEFINE(HAVE_KRB5_GET_ERROR_MESSAGE,1, [Define to 1 if you have krb5_get_error_message]),) + AC_CHECK_DECLS(krb5_kt_free_entry,,,[#include ]) AC_CHECK_LIB(krb5,krb5_kt_free_entry, AC_DEFINE(HAVE_KRB5_KT_FREE_ENTRY,1, [Define to 1 if you have krb5_kt_free_entry]),) @@ -1877,6 +1878,9 @@ else AC_MSG_NOTICE([external acl helper $helper ... found but cannot be built]) fi + if test "$helper" = "kerberos_ldap_group" ; then + squid_require_sasl=yes + fi done fi AC_MSG_NOTICE([External acl helpers built: $EXTERNAL_ACL_HELPERS]) @@ -1987,6 +1991,16 @@ AC_MSG_ERROR(Neither SASL nor SASL2 found) ]) ]) + case "$host_os" in + Darwin) + if test "$ac_cv_lib_sasl2_sasl_errstring" = "yes" ; then + AC_DEFINE(HAVE_SASL_DARWIN,1,[Define to 1 if Mac Darwin without sasl.h]) + echo "checking for MAC Darwin without sasl.h ... yes" + else + echo "checking for MAC Darwin without sasl.h ... no" + fi + ;; + esac AC_SUBST(LIBSASL) fi @@ -2837,16 +2851,219 @@ dnl On MinGW OpenLDAP is not available, so LDAP helpers can be linked dnl only with Windows LDAP libraries using -lwldap32 case "$host_os" in -mingw|mingw32) - LDAPLIB="-lwldap32" - LBERLIB="" - ;; -*) - LDAPLIB="-lldap" - dnl LDAP helpers need to know if -llber is needed or not - AC_CHECK_LIB(lber, main, [LBERLIB="-llber"]) - ;; + mingw|mingw32) + LDAPLIB="-lwldap32" + LBERLIB="" + ;; + *) + AC_CHECK_LIB(ldap, ldap_init, [LDAPLIB="-lldap"]) + dnl LDAP helpers need to know if -llber is needed or not + AC_CHECK_LIB(lber, ber_init, [LBERLIB="-llber"]) + dnl if no ldap lib found check for mozilla version + if test "x$ac_cv_lib_ldap_ldap_init" != x""yes; then + oLIBS=$LIBS + LIBS="$LIBPTHREADS" + AC_CHECK_LIB(ldap60, ldap_init, [LDAPLIB="-lldap60"]) + LIBS="$LDAPLIB $LIBPTHREADS" + AC_CHECK_LIB(prldap60, prldap_init, [LDAPLIB="-lprldap60 $LDAPLIB"]) + LIBS="$LDAPLIB $LIBPTHREADS" + AC_CHECK_LIB(ssldap60, ldapssl_init, [LDAPLIB="-lssldap60 $LDAPLIB"]) + LIBS=$oLIBS + fi + + AC_CHECK_HEADERS(ldap.h lber.h) + AC_CHECK_HEADERS(mozldap/ldap.h) + + dnl + dnl Check for LDAP_OPT_DEBUG_LEVEL + dnl + AC_MSG_CHECKING([for LDAP_OPT_DEBUG_LEVEL]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +# include + ]],[[ + int i=LDAP_OPT_DEBUG_LEVEL + ]])], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + dnl + dnl Check for working ldap + dnl + oLIBS=$LIBS + LIBS="$LDAPLIB $LBERLIB $LIBPTHREADS" + AC_MSG_CHECKING([for working ldap]) + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +# define LDAP_DEPRECATED 1 +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif + int + main(void) + { + char host[]=""; + int port; + + ldap_init((const char *)&host, port); + + return 0; + } + ]])], + [ AC_DEFINE(HAVE_LDAP, 1, [LDAP support]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + LIBS=$oLIBS + + dnl + dnl Check for ldap vendor + dnl + AC_MSG_CHECKING([for OpenLDAP]) + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +# if HAVE_LDAP_H +# include +# endif +# include + int + main(void) + { + return strcmp(LDAP_VENDOR_NAME,"OpenLDAP"); + } + ]])], + [ AC_DEFINE(HAVE_OPENLDAP, 1, [OpenLDAP support]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + AC_MSG_CHECKING([for Sun LDAP SDK]) + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +# if HAVE_LDAP_H +# include +# endif +# include + int + main(void) + { + return strcmp(LDAP_VENDOR_NAME,"Sun Microsystems Inc."); + } + ]])], + [ AC_DEFINE(HAVE_SUN_LDAP_SDK, 1, [Sun LDAP SDK support]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + AC_MSG_CHECKING([for Mozilla LDAP SDK]) + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif +# include + int + main(void) + { + return strcmp(LDAP_VENDOR_NAME,"mozilla.org"); + } + ]])], + [ AC_DEFINE(HAVE_MOZILLA_LDAP_SDK, 1, [Mozilla LDAP SDK support]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no)]) + + dnl + dnl Check for LDAP_REBINDPROC_CALLBACK + dnl + AC_MSG_CHECKING([for LDAP_REBINDPROC_CALLBACK]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif + ]],[[ + LDAP_REBINDPROC_CALLBACK ldap_rebind; + ]])], + [ AC_DEFINE(HAVE_LDAP_REBINDPROC_CALLBACK,1,[Define to 1 if you have LDAP_REBINDPROC_CALLBACK]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + dnl + dnl Check for LDAP_REBIND_PROC + dnl + AC_MSG_CHECKING([for LDAP_REBIND_PROC]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif + ]],[[ + LDAP_REBIND_PROC ldap_rebind; + ]])], + [ AC_DEFINE(HAVE_LDAP_REBIND_PROC,1,[Define to 1 if you have LDAP_REBIND_PROC]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + dnl + dnl Check for LDAP_REBIND_FUNCTION + dnl + AC_MSG_CHECKING([for LDAP_REBIND_FUNCTION]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +# define LDAP_REFERRALS +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif + ]],[[ + LDAP_REBIND_FUNCTION ldap_rebind; + ]])], + [ AC_DEFINE(HAVE_LDAP_REBIND_FUNCTION,1,[Define to 1 if you have LDAP_REBIND_FUNCTION]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + dnl + dnl Check for LDAP_SCOPE_DEFAULT + dnl + AC_MSG_CHECKING([for LDAP_SCOPE_DEFAULT]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif + ]],[[ + int i=LDAP_SCOPE_DEFAULT; + ]])], + [ AC_DEFINE(HAVE_LDAP_SCOPE_DEFAULT,1,[Define to 1 if you have LDAP_SCOPE_DEFAULT]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + dnl + dnl Check for ldap_url_desc.lud_scheme + dnl + AC_CHECK_MEMBER(struct ldap_url_desc.lud_scheme, + AC_DEFINE(HAVE_LDAP_URL_LUD_SCHEME,1, + [Define to 1 if you have LDAPURLDesc.lud_scheme]),,[#include ]) + + dnl + dnl Check for ldapssl_client_init + dnl + AC_CHECK_LIB(ldap,ldapssl_client_init, + AC_DEFINE(HAVE_LDAPSSL_CLIENT_INIT,1,[Define to 1 if you have ldapssl_client_init]),) + + dnl + dnl Check for ldap_url_desc2str + dnl + AC_CHECK_LIB(ldap,ldap_url_desc2str, + AC_DEFINE(HAVE_LDAP_URL_DESC2STR,1,[Define to 1 if you have ldap_url_desc2str]),) + + dnl + dnl Check for ldap_url_parse + dnl + AC_CHECK_LIB(ldap,ldap_url_parse, + AC_DEFINE(HAVE_LDAP_URL_PARSE,1,[Define to 1 if you have ldap_url_parse]),) + ;; esac + AC_SUBST(LDAPLIB) AC_SUBST(LBERLIB) @@ -3825,6 +4042,7 @@ helpers/negotiate_auth/mswin_sspi/Makefile \ helpers/external_acl/Makefile \ helpers/external_acl/ip_user/Makefile \ + helpers/external_acl/kerberos_ldap_group/Makefile \ helpers/external_acl/ldap_group/Makefile \ helpers/external_acl/session/Makefile \ helpers/external_acl/unix_group/Makefile \ diff -Nur squid-3/CREDITS squid-3-krb5/CREDITS --- squid-3/CREDITS 2010-06-01 01:12:46.000000000 +0100 +++ squid-3-krb5/CREDITS 2010-06-05 13:16:50.000000000 +0100 @@ -486,3 +486,19 @@ ============================================================================== +helpers/external_acl/kerberos_ldap_group/support_ldap.cc + +/* get_attributes is partly from OpenLDAP Software . + * + * Copyright 1998-2009 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * . + */ + diff -Nur squid-3/helpers/external_acl/kerberos_ldap_group/cert_tool squid-3-krb5/helpers/external_acl/kerberos_ldap_group/cert_tool --- squid-3/helpers/external_acl/kerberos_ldap_group/cert_tool 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/helpers/external_acl/kerberos_ldap_group/cert_tool 2010-06-05 13:16:50.000000000 +0100 @@ -0,0 +1,83 @@ +#!/bin/ksh +# +# ----------------------------------------------------------------------------- +# +# Author: Markus Moeller (markus_moeller at compuserve.com) +# +# Copyright (C) 2007 Markus Moeller. All rights reserved. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. +# +# ----------------------------------------------------------------------------- +# +# +# creates the following files: +# .cert +# secmod.db +# key3.db +# cert8.db +# +# +if [ -z "$1" ]; then + echo "Usage: `basename $0` ldap-server port" + exit 0 +fi +if [ -z "$2" ]; then + port=636 +else + port=$2 +fi + +server=$1 + +# +# Remove old files +# +rm ${server}_[0-9]*.cert 2>/dev/null +# +# Get certs and store in .cert file +# +( openssl s_client -showcerts -connect $server:$port 2>/dev/null < ostart ) {print $0 >>"'$server'_"start".cert"}; + if ( $0 ~ /END CERTIFICATE/) { ostart=start } }' + +# +# from mozilla-nss-tools +# /usr/sfw/bin on Solaris +# +# +# Create database for Sun ldap and pem file for Openldap +# +rm ${server}_[0-9]*.pem 2>/dev/null +let i=0 + ls ${server}_[0-9]*.cert | while read file; do + let i=i+1 + cat $file >> ${server}_$i.pem + CA=`openssl x509 -noout -text -in ${server}_$i.pem | grep -i "CA:.*true"` + if [ -n "$CA" ]; then + echo "CA is in ${server}_$i.pem" + certutil -A -a -n "${server}_$i" -i $file -t "C,," -d . + else + certutil -A -a -n "${server}_$i" -i $file -t "P,," -d . + fi + rm $file +done +echo "Certs:" +certutil -d . -L +echo "are in" +ls *.db diff -Nur squid-3/helpers/external_acl/kerberos_ldap_group/config.test squid-3-krb5/helpers/external_acl/kerberos_ldap_group/config.test --- squid-3/helpers/external_acl/kerberos_ldap_group/config.test 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/helpers/external_acl/kerberos_ldap_group/config.test 2010-06-05 13:16:50.000000000 +0100 @@ -0,0 +1,6 @@ +#!/bin/sh +# Don't build without gssapi.h +if test -f /usr/include/ldap.h || test -f /usr/local/include/ldap.h ; then + exit 0 +fi +exit 1 diff -Nur squid-3/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.8 squid-3-krb5/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.8 --- squid-3/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.8 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.8 2010-06-05 13:16:50.000000000 +0100 @@ -0,0 +1,233 @@ +.if !'po4a'hide' .TH kerberos_ldap_group 8 +. +.SH NAME +.if !'po4a'hide' .B kerberos_ldap_group +.if !'po4a'hide' \- +Squid LDAP external acl group helper +.PP +Version 1.2.2sq +. +.SH SYNOPSIS +.if !'po4a'hide' .B kerberos_ldap_group +.if !'po4a'hide' .B [\-h] [\-d] [\-i] [\-s] [\-a] [\-D Realm ] [\-N Netbios-Realm-List] [\-m Max-Depth] [\-u Ldap-User] [\-p Ldap-Password] [\-b Ldap-Bind-Path] [\-l Ldap-URL] \-g Group-Realm-List \-t Hex-Group-Realm-List \-T Hex-Group-Hex-Realm-List +. +.SH DESCRIPTION +.B kerberos_ldap_group +is an installed binary and allows Squid to connect to a LDAP directory to +authorize users via LDAP groups. Options are specified as parameters on the +command line, while the username (e.g. user, user@REALM, NDOMAIN\\user) to +be checked against the LDAP directory are specified on subsequent lines of +input to the helper, one username per line. +.PP +.B kerberos_ldap_group +will determine the ldap server name from DNS SRV and/or +A records or a local hosts file (e.g. for the Kerberos Realm SUSE.HOME it +will look for an SRV record _ldap._tcp.SUSE.HOME and an A record SUSE.HOME +or a SUSE.HOME hosts entry). If no domain information is available from the +username the ldap server will be determined through the command line options. +.PP +.B kerberos_ldap_group +requires as a minimum the -g, -t or -T option which +provides the ldap group name the user has to belong too. For Active Directory +a recursive group lookup is implemented until a max depth specified by -m depth. +For other Ldap servers a RFC2307bis schema of groups is assumed. +.PP +Different group names can be specified for different domains using a +group@domain syntax. +As expected by the +.B external_acl_type +construct of Squid, after +specifying a username and group followed by a new line, this +helper will produce either +.B OK +or +.B ERR +on the following line +to show if the user is a member of the specified group. +. +.SH OPTIONS +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-h +Display the binary help and command line syntax info using stderr. +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-d +Write debug messages to stderr. +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-i +Write informational messages to stderr. +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-s +Use SSL for the ldap connection. +.IP +The CA certificate file can be set via the environment variable TLS_CACERTFILE (default /etc/ssl/certs/cert.pem) (OpenLDAP). +.IP +The SSL certificate database can be set via the environment variable SSL_CERTDBPATH (default /etc/certs) (Sun and Mozilla LDAP SDK). +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-a +Allow SSL without certificate verification. +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-D Realm +Default Kerberos domain to use for usernames which do not contain domain +information (e.g. for users using basic authentication). +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-N Netbios-Realm-List +A list of Netbios name mappings to Kerberos domain names of the form +Netbios-Name@Kerberos-Realm[:Netbios-Name@Kerberos-Realm] (e.g. for users +using NTLM authentication). +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-m Max-Depth +Maximal depth of recursive group search. +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-u Ldap-User +Username for LDAP server. +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-u Ldap-Password +Password for LDAP server. +.IP +As the password needs to be printed in plain text in your Squid configuration +it is strongly recommended to use a account with minimal associated privileges. +This to limit the damage in case someone could get hold of a copy of your Squid +configuration file or extracts the password used from a process listing. +. +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-b Ldap-Bind-Path +LDAP server bind path. +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-u Ldap-URL +LDAP server URL in form ldap[s]://server:port +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-g Group-Realm-List +A list of group name per Kerberos domain of the form +Group|Group@|Group@Realm[:Group@|Group@Realm] +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-t Hex-Group-Realm-List +A list of group name per Kerberos domain of the +form Group|Group@|Group@Realm[:Group@|Group@Realm] where group is in +UTF-8 hex format +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-T Hex-Group-Hex-Realm-List +A list of group name per Kerberos domain of the form +Group|Group@|Group@Realm[:Group@|Group@Realm] where group and domain +is in UTF-8 hex format +. +.SH CONFIGURATION +.PP See FAQ wiki page for examples of how to write configuration snippets. (TBD) +.PP +This helper is intended to be used as an +.B external_acl_type +helper in +.B squid.conf. +.if !'po4a'hide' .P +.if !'po4a'hide' .ft CR +.if !'po4a'hide' .nf +.if !'po4a'hide' external_acl_type kerberos_ldap_group1 ttl=3600 negative_ttl=3600 %LOGIN /path/to/kerberos_ldap_group -g GROUP1 +.if !'po4a'hide' .br +.if !'po4a'hide' external_acl_type kerberos_ldap_group2 ttl=3600 negative_ttl=3600 %LOGIN /path/to/kerberos_ldap_group -g GROUP2 +.if !'po4a'hide' .br +.if !'po4a'hide' acl group1 external kerberos_ldap_group1 +.if !'po4a'hide' .br +.if !'po4a'hide' acl group2 external kerberos_ldap_group2 +.if !'po4a'hide' .fi +.if !'po4a'hide' .ft +.PP +.B NOTE: +The following squid startup file modification may be required: + +Add the following lines to the squid startup script to point squid to a keytab file which +contains the HTTP/fqdn service principal for the default Kerberos domain. The fqdn must be +the proxy name set in IE or firefox. You can not use an IP address. + +KRB5_KTNAME=/etc/squid/HTTP.keytab +export KRB5_KTNAME + +If you use a different Kerberos domain than the machine itself is in you can point squid to +the seperate Kerberos config file by setting the following environmnet variable in the startup +script. + +KRB5_CONFIG=/etc/krb5-squid.conf +export KRB5_CONFIG + +.B kerberos_ldap_group +will determine automagically the right ldap server. The following method is used: + +1) For user@REALM + a) Query DNS for SRV record _ldap._tcp.REALM + b) Query DNS for A record REALM + c) Use LDAP_URL if given + +2) For user + a) Use domain -D REALM and follow step 1) + b) Use LDAP_URL if given + +The Groups to check against are determined as follows: + +1) For user@REALM + a) Use values given by -g option which contain a @REALM e.g. -g GROUP1@REALM:GROUP2@REALM + b) Use values given by -g option which contain a @ only e.g. -g GROUP1@:GROUP2@ + c) Use values given by -g option which do not contain a realm e.g. -g GROUP1:GROUP2 + +2) For user + a) Use values given by -g option which do not contain a realm e.g. -g GROUP1:GROUP2 + +3) For NDOMAIN\\user + a) Use realm given by -N NDOMAIN@REALM and then use values given by -g option which contain a @REALM e.g. -g GROUP1@REALM:GROUP2@REALM + +To support Non-ASCII character use -t GROUP or -t GROUP@REALM instead of -g where GROUP is the hex UTF-8 representation e.g. + + -t 6d61726b7573 instead of -g markus + +The REALM must still be based on the ASCII character set. If REALM contains also non ASCII characters use -T GROUP@REALM where GROUP and REALM are hex UTF-8 representation e.g. + + -T 6d61726b7573@57494e3230303352322e484f4d45 instead of -g markus@WIN2003R2.HOME + +For a translation of hex UTF-8 see for example http://www.utf8-chartable.de/unicode-utf8-table.pl + +. +.SH AUTHOR +This program was written by +.if !'po4a'hide' .I Markus Moeller +.PP +This manual was written by +.if !'po4a'hide' .I Markus Moeller +. +.SH COPYRIGHT +This program and documentation is copyright to the authors named above. +.PP +Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+). +. +.SH QUESTIONS +Questions on the usage of this program can be sent to the +.I Squid Users mailing list +.if !'po4a'hide' +. +.SH REPORTING BUGS +Bug reports need to be made in English. +See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. +.PP +Report bugs or bug fixes using http://bugs.squid-cache.org/ +.PP +Report serious security bugs to +.I Squid Bugs +.PP +Report ideas for new improvements to the +.I Squid Developers mailing list +.if !'po4a'hide' +. +.SH SEE ALSO +.if !'po4a'hide' .BR squid "(8) " +.if !'po4a'hide' .BR negotiate_kerberos_auth "(8) " +.br +.BR RFC1035 " - Domain names - implementation and specification," +.br +.BR RFC2782 " - A DNS RR for specifying the location of services (DNS SRV)," +.br +.BR RFC2254 " - The String Representation of LDAP Search Filters," +.br +.BR RFC2307bis " - An Approach for Using LDAP as a Network Information Service +http://www.padl.com/~lukeh/rfc2307bis.txt," +.br +The Squid FAQ wiki +.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq +.br +The Squid Configuration Manual +.if !'po4a'hide' http://www.squid-cache.org/Doc/config/ diff -Nur squid-3/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc squid-3-krb5/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc --- squid-3/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc 2010-06-05 13:16:50.000000000 +0100 @@ -0,0 +1,407 @@ +/* + * ----------------------------------------------------------------------------- + * + * Author: Markus Moeller (markus_moeller at compuserve.com) + * + * Copyright (C) 2007 Markus Moeller. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. + * + * As a special exemption, M Moeller gives permission to link this program + * with MIT, Heimdal or other GSS/Kerberos libraries, and distribute + * the resulting executable, without including the source code for + * the Libraries in the source distribution. + * + * ----------------------------------------------------------------------------- + */ +/* + * Hosted at http://sourceforge.net/projects/squidkerbauth + */ +#include "config.h" +#include "util.h" + +#ifdef HAVE_LDAP + +#include "support.h" +#ifdef HAVE_CTYPE_H +#include +#endif + +void +init_args(struct main_args *margs) +{ + margs->nlist = NULL; + margs->glist = NULL; + margs->ulist = NULL; + margs->tlist = NULL; + margs->luser = NULL; + margs->lpass = NULL; + margs->lbind = NULL; + margs->lurl = NULL; + margs->ssl = NULL; + margs->rc_allow = 0; + margs->debug = 0; + margs->log = 0; + margs->AD = 0; + margs->mdepth = 5; + margs->ddomain = NULL; + margs->groups = NULL; + margs->ndoms = NULL; +} + +void clean_gd(struct gdstruct *gdsp); +void clean_nd(struct ndstruct *ndsp); + +void +clean_gd(struct gdstruct *gdsp) +{ + struct gdstruct *p = NULL, *pp = NULL; + + start: + p = gdsp; + if (!p) + return; + while (p->next) { + pp = p; + p = p->next; + } + if (p->group) { + xfree(p->group); + p->group = NULL; + } + if (p->domain) { + xfree(p->domain); + p->domain = NULL; + } + if (pp && pp->next) { + xfree(pp->next); + pp->next = NULL; + } + if (p == gdsp) { + xfree(gdsp); + gdsp = NULL; + } + goto start; +} + +void +clean_nd(struct ndstruct *ndsp) +{ + struct ndstruct *p = NULL, *pp = NULL; + + start: + p = ndsp; + if (!p) + return; + while (p->next) { + pp = p; + p = p->next; + } + if (p->netbios) { + xfree(p->netbios); + p->netbios = NULL; + } + if (p->domain) { + xfree(p->domain); + p->domain = NULL; + } + if (pp && pp->next) { + xfree(pp->next); + pp->next = NULL; + } + if (p == ndsp) { + xfree(ndsp); + ndsp = NULL; + } + goto start; +} + +void +clean_args(struct main_args *margs) +{ + if (margs->glist) { + xfree(margs->glist); + margs->glist = NULL; + } + if (margs->ulist) { + xfree(margs->ulist); + margs->ulist = NULL; + } + if (margs->tlist) { + xfree(margs->tlist); + margs->tlist = NULL; + } + if (margs->nlist) { + xfree(margs->nlist); + margs->nlist = NULL; + } + if (margs->luser) { + xfree(margs->luser); + margs->luser = NULL; + } + if (margs->lpass) { + xfree(margs->lpass); + margs->lpass = NULL; + } + if (margs->lbind) { + xfree(margs->lbind); + margs->lbind = NULL; + } + if (margs->lurl) { + xfree(margs->lurl); + margs->lurl = NULL; + } + if (margs->ssl) { + xfree(margs->ssl); + margs->ssl = NULL; + } + if (margs->ddomain) { + xfree(margs->ddomain); + margs->ddomain = NULL; + } + if (margs->groups) { + clean_gd(margs->groups); + margs->groups = NULL; + } + if (margs->ndoms) { + clean_nd(margs->ndoms); + margs->ndoms = NULL; + } +} + +void strup(char *s); + +int +main(int argc, char *const argv[]) +{ + char buf[6400]; + char *user, *domain; + char *nuser, *nuser8 = NULL, *netbios; + char *c; + int opt; + int length; + struct main_args margs; + + setbuf(stdout, NULL); + setbuf(stdin, NULL); + + init_args(&margs); + + while (-1 != (opt = getopt(argc, argv, "diasg:D:N:u:U:t:T:p:l:b:m:h"))) { + switch (opt) { + case 'd': + margs.debug = 1; + break; + case 'i': + margs.log = 1; + break; + case 'a': + margs.rc_allow = 1; + break; + case 's': + margs.ssl = (char *) "yes"; + break; + case 'g': + margs.glist = xstrdup(optarg); + break; + case 'D': + margs.ddomain = xstrdup(optarg); + break; + case 'N': + margs.nlist = xstrdup(optarg); + break; + case 'u': + margs.luser = xstrdup(optarg); + break; + case 'U': + margs.ulist = xstrdup(optarg); + break; + case 't': + margs.ulist = xstrdup(optarg); + break; + case 'T': + margs.tlist = xstrdup(optarg); + break; + case 'p': + margs.lpass = xstrdup(optarg); + /* Hide Password */ + memset(optarg, 'X', strlen(optarg)); + break; + case 'l': + margs.lurl = xstrdup(optarg); + break; + case 'b': + margs.lbind = xstrdup(optarg); + break; + case 'm': + margs.mdepth = atoi(optarg); + break; + case 'h': + fprintf(stderr, "Usage: \n"); + fprintf(stderr, "squid_kerb_ldap [-d] [-i] -g group list [-D domain] [-N netbios domain map] [-s] [-u ldap user] [-p ldap user password] [-l ldap url] [-b ldap bind path] [-a] [-m max depth] [-h]\n"); + fprintf(stderr, "-d full debug\n"); + fprintf(stderr, "-i informational messages\n"); + fprintf(stderr, "-g group list\n"); + fprintf(stderr, "-t group list (only group name hex UTF-8 format)\n"); + fprintf(stderr, "-T group list (all in hex UTF-8 format - except seperator @)\n"); + fprintf(stderr, "-D default domain\n"); + fprintf(stderr, "-N netbios to dns domain map\n"); + fprintf(stderr, "-u ldap user\n"); + fprintf(stderr, "-p ldap user password\n"); + fprintf(stderr, "-l ldap url\n"); + fprintf(stderr, "-b ldap bind path\n"); + fprintf(stderr, "-s use SSL encryption with Kerberos authentication\n"); + fprintf(stderr, "-a allow SSL without cert verification\n"); + fprintf(stderr, "-m maximal depth for recursive searches\n"); + fprintf(stderr, "-h help\n"); + fprintf(stderr, "The ldap url, ldap user and ldap user password details are only used if the kerberised\n"); + fprintf(stderr, "access fails(e.g. unknown domain) or if the username does not contain a domain part\n"); + fprintf(stderr, "and no default domain is provided.\n"); + fprintf(stderr, "If the ldap url starts with ldaps:// it is either start_tls or simple SSL\n"); + fprintf(stderr, "The group list can be:\n"); + fprintf(stderr, "group - In this case group can be used for all keberised and non kerberised ldap servers\n"); + fprintf(stderr, "group@ - In this case group can be used for all keberised ldap servers\n"); + fprintf(stderr, "group@domain - In this case group can be used for ldap servers of domain domain\n"); + fprintf(stderr, "group1@domain1:group2@domain2:group3@:group4 - A list is build with a colon as seperator\n"); + fprintf(stderr, "Group membership is determined with AD servers through the users memberof attribute which\n"); + fprintf(stderr, "is followed to the top (e.g. if the group is a member of a group)\n"); + fprintf(stderr, "Group membership is determined with non AD servers through the users memberuid (assuming\n"); + fprintf(stderr, "PosixGroup) or primary group membership (assuming PosixAccount)\n"); + clean_args(&margs); + exit(0); + default: + fprintf(stderr, "%s| %s: WARNING: unknown option: -%c.\n", LogTime(), PROGRAM, opt); + } + } + + if (margs.debug) + fprintf(stderr, "%s| %s: INFO: Starting version %s\n", LogTime(), PROGRAM, KERBEROS_LDAP_GROUP_VERSION); + if (create_gd(&margs)) { + if (margs.debug) + fprintf(stderr, "%s| %s: FATAL: Error in group list: %s\n", LogTime(), PROGRAM, margs.glist ? margs.glist : "NULL"); + fprintf(stdout, "ERR\n"); + clean_args(&margs); + exit(1); + } + if (create_nd(&margs)) { + if (margs.debug) + fprintf(stderr, "%s| %s: FATAL: Error in netbios list: %s\n", LogTime(), PROGRAM, margs.nlist ? margs.nlist : "NULL"); + fprintf(stdout, "ERR\n"); + clean_args(&margs); + exit(1); + } + while (1) { + if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) { + if (ferror(stdin)) { + if (margs.debug) + fprintf(stderr, "%s| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n", LogTime(), PROGRAM, ferror(stdin), + strerror(ferror(stdin))); + + fprintf(stdout, "ERR\n"); + clean_args(&margs); + exit(1); /* BIIG buffer */ + } + fprintf(stdout, "ERR\n"); + clean_args(&margs); + exit(0); + } + c = (char *) memchr(buf, '\n', sizeof(buf) - 1); + if (c) { + *c = '\0'; + length = c - buf; + } else { + fprintf(stdout, "ERR\n"); + if (margs.debug) + fprintf(stderr, "%s| %s: ERR\n", LogTime(), PROGRAM); + continue; + } + + user = buf; + nuser = strchr(user, '\\'); + if (!nuser) + nuser8 = strstr(user, "%5C"); + if (!nuser && !nuser8) + nuser8 = strstr(user, "%5c"); + domain = strrchr(user, '@'); + if (nuser || nuser8) { + if (nuser) { + *nuser = '\0'; + nuser++; + } else { + *nuser8 = '\0'; + nuser = nuser8 + 3; + } + netbios = user; + if (margs.debug || margs.log) + fprintf(stderr, "%s| %s: INFO: Got User: %s Netbios Name: %s\n", LogTime(), PROGRAM, nuser, netbios); + domain = get_netbios_name(&margs, netbios); + user = nuser; + } else if (domain) { + strup(domain); + *domain = '\0'; + domain++; + } + if (!domain && margs.ddomain) { + domain = xstrdup(margs.ddomain); + if (margs.debug || margs.log) + fprintf(stderr, "%s| %s: INFO: Got User: %s set default domain: %s\n", LogTime(), PROGRAM, user, domain); + } + if (margs.debug || margs.log) + fprintf(stderr, "%s| %s: INFO: Got User: %s Domain: %s\n", LogTime(), PROGRAM, user, domain ? domain : "NULL"); + + if (!strcmp(user, "QQ") && domain && !strcmp(domain, "QQ")) { + clean_args(&margs); + exit(-1); + } + if (check_memberof(&margs, user, domain)) { + fprintf(stdout, "OK\n"); + if (margs.debug) + fprintf(stderr, "%s| %s: DEBUG: OK\n", LogTime(), PROGRAM); + } else { + fprintf(stdout, "ERR\n"); + if (margs.debug) + fprintf(stderr, "%s| %s: DEBUG: ERR\n", LogTime(), PROGRAM); + } + } + + +} + +void +strup(char *s) +{ + while (*s) { + *s = toupper((unsigned char) *s); + s++; + } +} +#else +#include +#include +int +main(int argc, char *const argv[]) +{ + setbuf(stdout, NULL); + setbuf(stdin, NULL); + char buf[6400]; + while (1) { + if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) { + } + fprintf(stdout,"ERR\n"); + fprintf(stderr, "LDAP group authorisation not supported\n"); + } +} +#endif + diff -Nur squid-3/helpers/external_acl/kerberos_ldap_group/Makefile.am squid-3-krb5/helpers/external_acl/kerberos_ldap_group/Makefile.am --- squid-3/helpers/external_acl/kerberos_ldap_group/Makefile.am 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/helpers/external_acl/kerberos_ldap_group/Makefile.am 2010-06-05 13:16:50.000000000 +0100 @@ -0,0 +1,15 @@ +include $(top_srcdir)/src/Common.am + +EXTRA_DIST = README COPYING config.test +SUBDIRS = + + +libexec_PROGRAMS = kerberos_ldap_group + +kerberos_ldap_group_SOURCES = kerberos_ldap_group.cc support_group.cc support_netbios.cc support_member.cc support_krb5.cc support_ldap.cc support_sasl.cc support_resolv.cc support_log.cc + +AM_CPPFLAGS = $(INCLUDES) -I$(srcdir) + +kerberos_ldap_group_LDFLAGS = +kerberos_ldap_group_LDADD = $(COMPAT_LIB) $(LDAPLIB) $(LBERLIB) $(LIBSASL) $(XTRA_LIBS) $(KRB5LIBS) + diff -Nur squid-3/helpers/external_acl/kerberos_ldap_group/README squid-3-krb5/helpers/external_acl/kerberos_ldap_group/README --- squid-3/helpers/external_acl/kerberos_ldap_group/README 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/helpers/external_acl/kerberos_ldap_group/README 2010-06-05 13:16:50.000000000 +0100 @@ -0,0 +1,119 @@ +-------------------------------------------------------------------------------- +readme.txt is the squid_kerb_ldap read-me file. + +Author: Markus Moeller (markus_moeller at compuserve.com) + +Copyright (C) 2007 Markus Moeller. All rights reserved. +-------------------------------------------------------------------------------- + +squid_kerb_ldap Read Me + +Markus Moeller +June 2, 2007 + +1 Introduction + +squid_kerb_ldap is a reference implementation that supports SASL/GSSAPI authentication +to an ldap server. It is mainly intended to connect to Active Directory or Openldap based +ldap servers. + +For AD it checks the memberof attribute to determine if a user is member of a group. +For non AD it checks the memberuid attribute to determine if a user is member of a group and if not it checks if the primary group matches. +Currently, squid_kerb_ldap supports Squid 2.6 on Linux. + +squid_auth_ldap requires either MIT or Heimdal Kerberos libraries and header files. + +2 Building and Installation + +./configure +make + +Copy the helper squid_kerb_ldap to an apropriate directory. + +3 Configuration + +a) Configure IE or Firefox to point to the squid proxy by using the fqdn. IE and Firefox will use the +fqdn to query for a HTTP/fqdn Kerberos service principal. + +b) Create a keytab which contains the HTTP/fqdn Kerberos service principal and place it into a directory +where the squid run user can read the keytab. + +c) Add the following line to squid.conf + +auth_param negotiate program /usr/sbin/squid_kerb_auth +auth_param negotiate children 10 +auth_param negotiate keep_alive on + +external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN /usr/sbin/squid_kerb_ldap -g GROUP@ +acl ldap_group_check external squid_kerb_ldap +http_access allow ldap_group_check + +If a ntlm helper is used too add a -N option to map the netbios name to a Kerberos realm e.g. + +external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN /usr/sbin/squid_kerb_ldap -g GROUP@ -N NETBIOS@KERBEROS.REALM +acl ldap_group_check external squid_kerb_ldap +http_access allow ldap_group_check + + +d) Modify squid startup file + +Add the following lines to the squid startup script to point squid to a keytab file which +contains the HTTP/fqdn service principal for the default Kerberos domain. The fqdn must be +the proxy name set in IE or firefox. You can not use an IP address. + +KRB5_KTNAME=/etc/squid/HTTP.keytab +export KRB5_KTNAME + +If you use a different Kerberos domain than the machine itself is in you can point squid to +the seperate Kerberos config file by setting the following environmnet variable in the startup +script. + +KRB5_CONFIG=/etc/krb5-squid.conf +export KRB5_CONFIG + +4 Miscellaneous + +The -i options creates informational messages whereas -d creates full debug output + +If squid_kerb_ldap doesn't determine for some reason the right service ldap server you can provide +it with -u BIND_DN -p BIND_PW -b BIND_PATH -l LDAP_URL + +STARTTLS/SSL is supported and the -a options disables server certificate checks + +If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal per realm to the +HTTP.keytab file and use the -s GSS_C_NO_NAME option with squid_kerb_auth. + +squid_kerb_ldap will determine automagically the right ldap server. The following method is used: + +1) For user@REALM + 1) Query DNS for SRV record _ldap._tcp.REALM + 2) Query DNS for A record REALM + 3) Use LDAP_URL if given + +2) For user + 2) Use LDAP_URL if given + +The Groups to check against are determined as follows: + +1 For user@REALM + 1) Use values given by -g option which contain a @REALM e.g. -g GROUP1@REALM:GROUP2@REALM + 2) Use values given by -g option which contain a @ only e.g. -g GROUP1@:GROUP2@ + 3) Use values given by -g option which do not contain a realm e.g. -g GROUP1:GROUP2 + +1 For user + 3) Use values given by -g option which do not contain a realm e.g. -g GROUP1:GROUP2 + + +To support Non-ASCII character use -t or -t @ instead of -g where GROUP is the hex UTF-8 representation e.g. + + -t 6d61726b7573 instead of -g markus + +The REALM must still be based on the ASCII character set. If REALM contains also non ASCII characters use -T @ where GROUP and REALM are hex UTF-8 representation e.g. + + -T 6d61726b7573@57494e3230303352322e484f4d45 instead of -g markus@WIN2003R2.HOME + +For a translation of hex UTF-8 see for example http://www.utf8-chartable.de/unicode-utf8-table.pl + + + + diff -Nur squid-3/helpers/external_acl/kerberos_ldap_group/support_group.cc squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support_group.cc --- squid-3/helpers/external_acl/kerberos_ldap_group/support_group.cc 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support_group.cc 2010-06-05 13:16:50.000000000 +0100 @@ -0,0 +1,447 @@ +/* + * ----------------------------------------------------------------------------- + * + * Author: Markus Moeller (markus_moeller at compuserve.com) + * + * Copyright (C) 2007 Markus Moeller. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. + * + * ----------------------------------------------------------------------------- + */ + +#include "config.h" +#include "util.h" + +#ifdef HAVE_LDAP + +#include "support.h" + +struct gdstruct *init_gd(void); + +struct gdstruct * +init_gd(void) +{ + struct gdstruct *gdsp; + gdsp = (struct gdstruct *) xmalloc(sizeof(struct gdstruct)); + gdsp->group = NULL; + gdsp->domain = NULL; + gdsp->next = NULL; + return gdsp; +} + +char *utf8dup(struct main_args *margs); + +char * +utf8dup(struct main_args *margs) +{ + int c = 0, s; + size_t n; + char *src; + unsigned char *p, *dup; + + src = margs->glist; + if (!src) + return NULL; + for (n = 0; n < strlen(src); n++) + if ((unsigned char) src[n] > 127) + c++; + if (c != 0) { + p = (unsigned char *) xmalloc(strlen(src) + c); + dup = p; + for (n = 0; n < strlen(src); n++) { + s = (unsigned char) src[n]; + if (s > 127 && s < 192) { + *p = 194; + p++; + *p = s; + } else if (s > 191 && s < 256) { + *p = 195; + p++; + *p = s - 64; + } else + *p = s; + p++; + } + *p = '\0'; + if (margs->debug) + fprintf(stderr, "%s| %s: INFO: Group %s as UTF-8: %s\n", LogTime(), PROGRAM, src, dup); + return (char *) dup; + } else + return xstrdup(src); +} + +char *hex_utf_char(struct main_args *margs, int flag); +/* + * UTF8 = UTF1 / UTFMB + * UTFMB = UTF2 / UTF3 / UTF4 + * + * UTF0 = %x80-BF + * UTF1 = %x00-7F + * UTF2 = %xC2-DF UTF0 + * UTF3 = %xE0 %xA0-BF UTF0 / %xE1-EC 2(UTF0) / + * %xED %x80-9F UTF0 / %xEE-EF 2(UTF0) + * UTF4 = %xF0 %x90-BF 2(UTF0) / %xF1-F3 3(UTF0) / + * %xF4 %x80-8F 2(UTF0) + * + * http://www.utf8-chartable.de/unicode-utf8-table.pl + */ + +char * +hex_utf_char(struct main_args *margs, int flag) +{ + char *up; + char *upd; + char *ul; + int a, n, nl, ival, ichar; + int iUTF2, iUTF3, iUTF4; + + if (flag) { + up = margs->ulist; + } else { + up = margs->tlist; + } + + if (!up) + return NULL; + + upd = strrchr(up, '@'); + if (upd) + a = upd - up; + else + a = strlen(up); + + ul = (char *) xmalloc(strlen(up)); + n = 0; + nl = 0; + iUTF2 = 0; + iUTF3 = 0; + iUTF4 = 0; + + while (n < (int) strlen(up)) { + if (flag && n == a) + break; + if (up[n] == '@') { + ul[nl] = '@'; + nl++; + n++; + continue; + } + ival = up[n]; + if (ival > 64 && ival < 71) + ichar = (ival - 55) * 16; + else if (ival > 96 && ival < 103) + ichar = (ival - 87) * 16; + else if (ival > 47 && ival < 58) + ichar = (ival - 48) * 16; + else { + if (margs->debug) + fprintf(stderr, "%s| %s: WARNING: Invalid Hex value %c\n", LogTime(), PROGRAM, ival); + if (ul) + xfree(ul); + return NULL; + } + + + if (n == a - 1) { + if (margs->debug) + fprintf(stderr, "%s| %s: WARNING: Invalid Hex UTF-8 string %s\n", LogTime(), PROGRAM, up); + if (ul) + xfree(ul); + return NULL; + } + n++; + ival = up[n]; + if (ival > 64 && ival < 71) + ichar = ichar + ival - 55; + else if (ival > 96 && ival < 103) + ichar = ichar + ival - 87; + else if (ival > 47 && ival < 58) + ichar = ichar + ival - 48; + else { + if (margs->debug) + fprintf(stderr, "%s| %s: WARNING: Invalid Hex value %c\n", LogTime(), PROGRAM, ival); + if (ul) + xfree(ul); + return NULL; + } + + if (iUTF2) { + if (iUTF2 == 0xC2 && ichar > 0x7F && ichar < 0xC0) { + iUTF2 = 0; + ul[nl - 1] = ichar; + } else if (iUTF2 == 0xC3 && ichar > 0x7F && ichar < 0xC0) { + iUTF2 = 0; + ul[nl - 1] = ichar + 64; + } else if (iUTF2 > 0xC3 && iUTF2 < 0xE0 && ichar > 0x7F && ichar < 0xC0) { + iUTF2 = 0; + ul[nl] = ichar; + nl++; + } else { + iUTF2 = 0; + ul[nl] = ichar; + ul[nl + 1] = '\0'; + if (margs->debug) + fprintf(stderr, "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); + if (ul) + xfree(ul); + return NULL; + } + } else if (iUTF3) { + if (iUTF3 == 0xE0 && ichar > 0x9F && ichar < 0xC0) { + iUTF3 = 1; + ul[nl] = ichar; + nl++; + } else if (iUTF3 > 0xE0 && iUTF3 < 0xED && ichar > 0x7F && ichar < 0xC0) { + iUTF3 = 2; + ul[nl] = ichar; + nl++; + } else if (iUTF3 == 0xED && ichar > 0x7F && ichar < 0xA0) { + iUTF3 = 3; + ul[nl] = ichar; + nl++; + } else if (iUTF3 > 0xED && iUTF3 < 0xF0 && ichar > 0x7F && ichar < 0xC0) { + iUTF3 = 4; + ul[nl] = ichar; + nl++; + } else if (iUTF3 > 0 && iUTF3 < 5 && ichar > 0x7F && ichar < 0xC0) { + iUTF3 = 0; + ul[nl] = ichar; + nl++; + } else { + iUTF3 = 0; + ul[nl] = ichar; + ul[nl + 1] = '\0'; + if (margs->debug) + fprintf(stderr, "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); + if (ul) + xfree(ul); + return NULL; + } + } else if (iUTF4) { + if (iUTF4 == 0xF0 && ichar > 0x8F && ichar < 0xC0) { + iUTF4 = 1; + ul[nl] = ichar; + nl++; + } else if (iUTF4 > 0xF0 && iUTF3 < 0xF4 && ichar > 0x7F && ichar < 0xC0) { + iUTF4 = 2; + ul[nl] = ichar; + nl++; + } else if (iUTF4 == 0xF4 && ichar > 0x7F && ichar < 0x90) { + iUTF4 = 3; + ul[nl] = ichar; + nl++; + } else if (iUTF4 > 0 && iUTF4 < 5 && ichar > 0x7F && ichar < 0xC0) { + if (iUTF4 == 4) + iUTF4 = 0; + else + iUTF4 = 4; + ul[nl] = ichar; + nl++; + } else { + iUTF4 = 0; + ul[nl] = ichar; + ul[nl + 1] = '\0'; + if (margs->debug) + fprintf(stderr, "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); + if (ul) + xfree(ul); + return NULL; + } + } else if (ichar < 0x80) { + /* UTF1 */ + ul[nl] = ichar; + nl++; + } else if (ichar > 0xC1 && ichar < 0xE0) { + /* UTF2 (Latin) */ + iUTF2 = ichar; + ul[nl] = ichar; + nl++; + } else if (ichar > 0xDF && ichar < 0xF0) { + /* UTF3 */ + iUTF3 = ichar; + ul[nl] = ichar; + nl++; + } else if (ichar > 0xEF && ichar < 0xF5) { + /* UTF4 */ + iUTF4 = ichar; + ul[nl] = ichar; + nl++; + } else { + ul[nl] = ichar; + ul[nl + 1] = '\0'; + if (margs->debug) + fprintf(stderr, "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); + if (ul) + xfree(ul); + return NULL; + } + n++; + } + + ul[nl] = '\0'; + if (iUTF2 || iUTF3 || iUTF4) { + if (margs->debug) { + fprintf(stderr, "%s| %s: INFO: iUTF2: %d iUTF3: %d iUTF4: %d\n", LogTime(), PROGRAM, iUTF2, iUTF3, iUTF4); + fprintf(stderr, "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); + } + if (ul) + xfree(ul); + return NULL; + } + if (flag && upd) + ul = strcat(ul, upd); + return ul; +} + + +int +create_gd(struct main_args *margs) +{ + char *gp, *dp; + char *hp1, *hp2, *up; + char *p; + struct gdstruct *gdsp = NULL, *gdspn = NULL; + /* + * Group list format: + * + * glist=Pattern1[:Pattern2] + * + * Pattern=Group Group for all domains(including non Kerberos domains using ldap url options) if no + * other group definition for domain exists or users without + * domain information. + * gdstruct.domain=NULL, gdstruct.group=Group + * + * or Pattern=Group@ Group for all Kerberos domains if no other group definition + * exists + * gdstruct.domain="", gdstruct.group=Group + * + * or Pattern=Group@Domain Group for a specific Kerberos domain + * gdstruct.domain=Domain, gdstruct.group=Group + * + * + */ + hp1 = hex_utf_char(margs, 0); + hp2 = hex_utf_char(margs, 1); + up = utf8dup(margs); + p = up; + if (hp1) { + if (hp2) { + if (up) { + p = (char *) xmalloc(strlen(up) + strlen(hp1) + strlen(hp2) + 2); + strcpy(p, up); + strcat(p, ":"); + strcat(p, hp1); + strcat(p, ":"); + strcat(p, hp2); + } else { + p = (char *) xmalloc(strlen(hp1) + strlen(hp2) + 1); + strcpy(p, hp1); + strcat(p, ":"); + strcat(p, hp2); + } + } else { + if (up) { + p = (char *) xmalloc(strlen(up) + strlen(hp1) + 1); + strcpy(p, up); + strcat(p, ":"); + strcat(p, hp1); + } else + p = hp1; + } + } else { + if (hp2) { + if (up) { + p = (char *) xmalloc(strlen(up) + strlen(hp2) + 1); + strcpy(p, up); + strcat(p, ":"); + strcat(p, hp2); + } else + p = hp2; + } else + p = up; + } + gp = p; + if (margs->debug) + fprintf(stderr, "%s| %s: INFO: Group list %s\n", LogTime(), PROGRAM, p ? p : "NULL"); + dp = NULL; + + if (!p) { + if (margs->debug) + fprintf(stderr, "%s| %s: ERROR: No groups defined.\n", LogTime(), PROGRAM); + return (1); + } + while (*p) { /* loop over group list */ + if (*p == '\n' || *p == '\r') { /* Ignore CR and LF if exist */ + p++; + continue; + } + if (*p == '@') { /* end of group name - start of domain name */ + if (p == gp) { /* empty group name not allowed */ + if (margs->debug) + fprintf(stderr, "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p); + return (1); + } + *p = '\0'; + p++; + gdsp = init_gd(); + gdsp->group = gp; + if (gdspn) /* Have already an existing structure */ + gdsp->next = gdspn; + dp = p; /* after @ starts new domain name */ + } else if (*p == ':') { /* end of group name or end of domain name */ + if (p == gp) { /* empty group name not allowed */ + if (margs->debug) + fprintf(stderr, "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p); + return (1); + } + *p = '\0'; + p++; + if (dp) { /* end of domain name */ + gdsp->domain = xstrdup(dp); + dp = NULL; + } else { /* end of group name and no domain name */ + gdsp = init_gd(); + gdsp->group = gp; + if (gdspn) /* Have already an existing structure */ + gdsp->next = gdspn; + } + gdspn = gdsp; + gp = p; /* after : starts new group name */ + if (margs->debug) + fprintf(stderr, "%s| %s: INFO: Group %s Domain %s\n", LogTime(), PROGRAM, gdsp->group, gdsp->domain ? gdsp->domain : "NULL"); + } else + p++; + } + if (p == gp) { /* empty group name not allowed */ + if (margs->debug) + fprintf(stderr, "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p); + return (1); + } + if (dp) { /* end of domain name */ + gdsp->domain = xstrdup(dp); + } else { /* end of group name and no domain name */ + gdsp = init_gd(); + gdsp->group = gp; + if (gdspn) /* Have already an existing structure */ + gdsp->next = gdspn; + } + if (margs->debug) + fprintf(stderr, "%s| %s: INFO: Group %s Domain %s\n", LogTime(), PROGRAM, gdsp->group, gdsp->domain ? gdsp->domain : "NULL"); + + margs->groups = gdsp; + return (0); +} +#endif diff -Nur squid-3/helpers/external_acl/kerberos_ldap_group/support.h squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support.h --- squid-3/helpers/external_acl/kerberos_ldap_group/support.h 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support.h 2010-06-05 13:16:50.000000000 +0100 @@ -0,0 +1,159 @@ +/* + * ----------------------------------------------------------------------------- + * + * Author: Markus Moeller (markus_moeller at compuserve.com) + * + * Copyright (C) 2007 Markus Moeller. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. + * + * ----------------------------------------------------------------------------- + */ + +#define KERBEROS_LDAP_GROUP_VERSION "1.2.2sq" + +#ifdef HAVE_STRING_H +#include +#endif + +#ifdef HAVE_HEIMDAL_KERBEROS +#ifdef HAVE_GSSAPI_GSSAPI_H +#include +#elif defined(HAVE_GSSAPI_H) +#include +#endif +#ifdef HAVE_KRB5_H +#include +#endif +#ifdef HAVE_COM_ERR_H +#include +#else +#define error_message(code) krb5_get_err_text(kparam.context,code) +#endif +#else /*MIT */ +#ifdef HAVE_GSSAPI_GSSAPI_H +#include +#elif defined(HAVE_GSSAPI_H) +#include +#endif +#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H +#include +#endif +#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H +#include +#endif +#ifdef HAVE_GSSAPI_GSSAPI_EXT_H +#include +#endif +#ifdef HAVE_KRB5_H +#if HAVE_BROKEN_SOLARIS_KRB5_H +#if defined(__cplusplus) +#define KRB5INT_BEGIN_DECLS extern "C" { +#define KRB5INT_END_DECLS + KRB5INT_BEGIN_DECLS +#endif +#endif +#include +#endif +#ifdef HAVE_COM_ERR_H +#include +#endif +#endif +#ifndef gss_nt_service_name +#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE +#endif + +#define LDAP_DEPRECATED 1 +#ifdef HAVE_LDAP_REBIND_FUNCTION +#define LDAP_REFERRALS +#endif +#ifdef HAVE_LBER_H +#include +#endif +#ifdef HAVE_LDAP_H +#include +#endif +#ifdef HAVE_MOZLDAP_LDAP_H +#include +#endif + +struct gdstruct { + char *group; + char *domain; + struct gdstruct *next; +}; +struct ndstruct { + char *netbios; + char *domain; + struct ndstruct *next; +}; + +struct main_args { + char *glist; + char *ulist; + char *tlist; + char *nlist; + char *luser; + char *lpass; + char *lbind; + char *lurl; + char *ssl; + int rc_allow; + int debug; + int log; + int AD; + int mdepth; + char *ddomain; + struct gdstruct *groups; + struct ndstruct *ndoms; +}; + +struct hstruct { + char *host; + int port; + int priority; + int weight; +}; + +struct ldap_creds { + char *dn; + char *pw; +}; + + +void init_args(struct main_args *margs); +void clean_args(struct main_args *margs); +const char *LogTime(void); + +int check_memberof(struct main_args *margs, char *user, char *domain); +int get_memberof(struct main_args *margs, char *user, char *domain, char *group); + +char *get_netbios_name(struct main_args *margs, char *netbios); + +int create_gd(struct main_args *margs); +int create_nd(struct main_args *margs); + +int krb5_create_cache(struct main_args *margs, char *domain); +void krb5_cleanup(void); + +int get_ldap_hostname_list(struct main_args *margs, struct hstruct **hlist, int nhosts, char *domain); +int get_hostname_list(struct main_args *margs, struct hstruct **hlist, int nhosts, char *name); +int free_hostname_list(struct hstruct **hlist, int nhosts); + +#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +int tool_sasl_bind(LDAP * ld, char *binddn, char *ssl); +#endif + +#define PROGRAM "kerberos_ldap_group" diff -Nur squid-3/helpers/external_acl/kerberos_ldap_group/support_krb5.cc squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support_krb5.cc --- squid-3/helpers/external_acl/kerberos_ldap_group/support_krb5.cc 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support_krb5.cc 2010-06-05 13:16:50.000000000 +0100 @@ -0,0 +1,355 @@ +/* + * ---------------------------------------------------------------------------- + * + * Author: Markus Moeller (markus_moeller at compuserve.com) + * + * Copyright (C) 2007 Markus Moeller. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. + * + * ----------------------------------------------------------------------------- + */ + +#include "config.h" +#include "util.h" + +#ifdef HAVE_LDAP + +#include "support.h" + +struct kstruct { + krb5_context context; + char *mem_cache_env; + krb5_ccache cc; +} kparam; + +#define KT_PATH_MAX 256 + +void +krb5_cleanup() +{ + if (kparam.context) { + if (kparam.cc) + krb5_cc_destroy(kparam.context, kparam.cc); + krb5_free_context(kparam.context); + } +} +/* + * create Kerberos memory cache + */ +int +krb5_create_cache(struct main_args *margs, char *domain) +{ + + krb5_keytab keytab = 0; + krb5_keytab_entry entry; + krb5_kt_cursor cursor; + krb5_creds *creds = NULL; + krb5_creds *tgt_creds = NULL; + krb5_principal *principal_list = NULL; + krb5_principal principal = NULL; + char *service; + char *keytab_name = NULL, *principal_name = NULL, *mem_cache = NULL; + char buf[KT_PATH_MAX], *p; + int nprinc = 0; + int i; + int retval = 0; + int found = 0; + krb5_error_code code = 0; + + kparam.context = NULL; + + if (!domain || !strcmp(domain, "")) + return (1); + + /* + * Initialise Kerberos + */ + + code = krb5_init_context(&kparam.context); + if (code) { + fprintf(stderr, "%s| %s: ERROR: Error while initialising Kerberos library : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + goto cleanup; + } + /* + * getting default keytab name + */ + + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Get default keytab file name\n", LogTime(), PROGRAM); + krb5_kt_default_name(kparam.context, buf, KT_PATH_MAX); + p = strchr(buf, ':'); /* Find the end if "FILE:" */ + if (p) + p++; /* step past : */ + keytab_name = xstrdup(p ? p : buf); + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Got default keytab file name %s\n", LogTime(), PROGRAM, keytab_name); + + code = krb5_kt_resolve(kparam.context, keytab_name, &keytab); + if (code) { + fprintf(stderr, "%s| %s: ERROR: Error while resolving keytab %s : %s\n", LogTime(), PROGRAM, keytab_name, error_message(code)); + retval = 1; + goto cleanup; + } + code = krb5_kt_start_seq_get(kparam.context, keytab, &cursor); + if (code) { + fprintf(stderr, "%s| %s: ERROR: Error while starting keytab scan : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + goto cleanup; + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Get principal name from keytab %s\n", LogTime(), PROGRAM, keytab_name); + + nprinc = 0; + while ((code = krb5_kt_next_entry(kparam.context, keytab, &entry, &cursor)) == 0) { + + principal_list = (krb5_principal *) xrealloc(principal_list, sizeof(krb5_principal) * (nprinc + 1)); + krb5_copy_principal(kparam.context, entry.principal, &principal_list[nprinc++]); + if (margs->debug) +#ifdef HAVE_HEIMDAL_KERBEROS + fprintf(stderr, "%s| %s: DEBUG: Keytab entry has realm name: %s\n", LogTime(), PROGRAM, entry.principal->realm); +#else + fprintf(stderr, "%s| %s: DEBUG: Keytab entry has realm name: %s\n", LogTime(), PROGRAM, krb5_princ_realm(kparam.context, entry.principal)->data); +#endif +#ifdef HAVE_HEIMDAL_KERBEROS + if (!strcasecmp(domain, entry.principal->realm)) +#else + if (!strcasecmp(domain, krb5_princ_realm(kparam.context, entry.principal)->data)) +#endif + { + code = krb5_unparse_name(kparam.context, entry.principal, &principal_name); + if (code) { + fprintf(stderr, "%s| %s: ERROR: Error while unparsing principal name : %s\n", LogTime(), PROGRAM, error_message(code)); + } else { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name); + found = 1; + } + } +#if defined(HAVE_HEIMDAL_KERBEROS) || ( defined(HAVE_KRB5_KT_FREE_ENTRY) && HAVE_DECL_KRB5_KT_FREE_ENTRY==1) + code = krb5_kt_free_entry(kparam.context, &entry); +#else + code = krb5_free_keytab_entry_contents(kparam.context, &entry); +#endif + if (code) { + fprintf(stderr, "%s| %s: ERROR: Error while freeing keytab entry : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + break; + } + if (found) + break; + } + + if (code && code != KRB5_KT_END) { + fprintf(stderr, "%s| %s: ERROR: Error while scanning keytab : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + goto cleanup; + } + code = krb5_kt_end_seq_get(kparam.context, keytab, &cursor); + if (code) { + fprintf(stderr, "%s| %s: ERROR: Error while ending keytab scan : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + goto cleanup; + } + /* + * prepare memory credential cache + */ +#if !defined(HAVE_KRB5_MEMORY_CACHE) || defined(HAVE_SUN_LDAP_SDK) + mem_cache = (char *) xmalloc(strlen("FILE:/tmp/squid_ldap_") + 16); + snprintf(mem_cache, strlen("FILE:/tmp/squid_ldap_") + 16, "FILE:/tmp/squid_ldap_%d", (int) getpid()); +#else + mem_cache = (char *) xmalloc(strlen("MEMORY:squid_ldap_") + 16); + snprintf(mem_cache, strlen("MEMORY:squid_ldap_") + 16, "MEMORY:squid_ldap_%d", (int) getpid()); +#endif + + setenv("KRB5CCNAME", mem_cache, 1); + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Set credential cache to %s\n", LogTime(), PROGRAM, mem_cache); + code = krb5_cc_resolve(kparam.context, mem_cache, &kparam.cc); + if (code) { + fprintf(stderr, "%s| %s: ERROR: Error while resolving memory ccache : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + goto cleanup; + } + /* + * if no principal name found in keytab for domain use the prinipal name which can get a TGT + */ + if (!principal_name) { + if (margs->debug) { + fprintf(stderr, "%s| %s: DEBUG: Did not find a principal in keytab for domain %s.\n", LogTime(), PROGRAM, domain); + fprintf(stderr, "%s| %s: DEBUG: Try to get principal of trusted domain.\n", LogTime(), PROGRAM); + } + creds = (krb5_creds *) xmalloc(sizeof(*creds)); + memset(creds, 0, sizeof(*creds)); + + for (i = 0; i < nprinc; i++) { + /* + * get credentials + */ + code = krb5_unparse_name(kparam.context, principal_list[i], &principal_name); + if (code) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Error while unparsing principal name : %s\n", LogTime(), PROGRAM, error_message(code)); + goto loop_end; + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Keytab entry has principal: %s\n", LogTime(), PROGRAM, principal_name); + +#if HAVE_GET_INIT_CREDS_KEYTAB + code = krb5_get_init_creds_keytab(kparam.context, creds, principal_list[i], keytab, 0, NULL, NULL); +#else + service = (char *) xmalloc(strlen("krbtgt") + 2 * strlen(domain) + 3); + snprintf(service, strlen("krbtgt") + 2 * strlen(domain) + 3, "krbtgt/%s@%s", domain, domain); + creds->client = principal_list[i]; + code = krb5_parse_name(kparam.context, service, &creds->server); + if (service) + xfree(service); + code = krb5_get_in_tkt_with_keytab(kparam.context, 0, NULL, NULL, NULL, keytab, NULL, creds, 0); +#endif + if (code) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Error while initialising credentials from keytab : %s\n", LogTime(), PROGRAM, error_message(code)); + goto loop_end; + } + code = krb5_cc_initialize(kparam.context, kparam.cc, principal_list[i]); + if (code) { + fprintf(stderr, "%s| %s: ERROR: Error while initializing memory caches : %s\n", LogTime(), PROGRAM, error_message(code)); + goto loop_end; + } + code = krb5_cc_store_cred(kparam.context, kparam.cc, creds); + if (code) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Error while storing credentials : %s\n", LogTime(), PROGRAM, error_message(code)); + goto loop_end; + } + if (creds->server) + krb5_free_principal(kparam.context, creds->server); +#ifdef HAVE_HEIMDAL_KERBEROS + service = (char *) xmalloc(strlen("krbtgt") + strlen(domain) + strlen(principal_list[i]->realm) + 3); + snprintf(service, strlen("krbtgt") + strlen(domain) + strlen(principal_list[i]->realm) + 3, "krbtgt/%s@%s", domain, principal_list[i]->realm); +#else + service = (char *) xmalloc(strlen("krbtgt") + strlen(domain) + strlen(krb5_princ_realm(kparam.context, principal_list[i])->data) + 3); + snprintf(service, strlen("krbtgt") + strlen(domain) + strlen(krb5_princ_realm(kparam.context, principal_list[i])->data) + 3, "krbtgt/%s@%s", domain, krb5_princ_realm(kparam.context, principal_list[i])->data); +#endif + code = krb5_parse_name(kparam.context, service, &creds->server); + if (service) + xfree(service); + if (code) { + fprintf(stderr, "%s| %s: ERROR: Error while initialising TGT credentials : %s\n", LogTime(), PROGRAM, error_message(code)); + goto loop_end; + } + code = krb5_get_credentials(kparam.context, 0, kparam.cc, creds, &tgt_creds); + if (code) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Error while getting tgt : %s\n", LogTime(), PROGRAM, error_message(code)); + goto loop_end; + } else { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Found trusted principal name: %s\n", LogTime(), PROGRAM, principal_name); + found = 1; + break; + } + + loop_end: + if (principal_name) + xfree(principal_name); + principal_name = NULL; + } + + if (tgt_creds) + krb5_free_creds(kparam.context, tgt_creds); + tgt_creds = NULL; + if (creds) + krb5_free_creds(kparam.context, creds); + creds = NULL; + } + if (principal_name) { + + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Got principal name %s\n", LogTime(), PROGRAM, principal_name); + /* + * build principal + */ + code = krb5_parse_name(kparam.context, principal_name, &principal); + if (code) { + fprintf(stderr, "%s| %s: ERROR: Error while parsing name %s : %s\n", LogTime(), PROGRAM, principal_name, error_message(code)); + retval = 1; + goto cleanup; + } + creds = (krb5_creds *) xmalloc(sizeof(*creds)); + memset(creds, 0, sizeof(*creds)); + + /* + * get credentials + */ +#if HAVE_GET_INIT_CREDS_KEYTAB + code = krb5_get_init_creds_keytab(kparam.context, creds, principal, keytab, 0, NULL, NULL); +#else + service = (char *) xmalloc(strlen("krbtgt") + 2 * strlen(domain) + 3); + snprintf(service, strlen("krbtgt") + 2 * strlen(domain) + 3, "krbtgt/%s@%s", domain, domain); + creds->client = principal; + code = krb5_parse_name(kparam.context, service, &creds->server); + if (service) + xfree(service); + code = krb5_get_in_tkt_with_keytab(kparam.context, 0, NULL, NULL, NULL, keytab, NULL, creds, 0); +#endif + if (code) { + fprintf(stderr, "%s| %s: ERROR: Error while initialising credentials from keytab : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + goto cleanup; + } + code = krb5_cc_initialize(kparam.context, kparam.cc, principal); + if (code) { + fprintf(stderr, "%s| %s: ERROR: Error while initializing memory caches : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + goto cleanup; + } + code = krb5_cc_store_cred(kparam.context, kparam.cc, creds); + if (code) { + fprintf(stderr, "%s| %s: ERROR: Error while storing credentials : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + goto cleanup; + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Stored credentials\n", LogTime(), PROGRAM); + } else { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Got no principal name\n", LogTime(), PROGRAM); + retval = 1; + } + cleanup: + if (keytab) + krb5_kt_close(kparam.context, keytab); + if (keytab_name) + xfree(keytab_name); + if (principal_name) + xfree(principal_name); + if (mem_cache) + xfree(mem_cache); + if (principal) + krb5_free_principal(kparam.context, principal); + for (i = 0; i < nprinc; i++) { + if (principal_list[i]) + krb5_free_principal(kparam.context, principal_list[i]); + } + if (principal_list) + xfree(principal_list); + if (creds) + krb5_free_creds(kparam.context, creds); + + return (retval); +} +#endif diff -Nur squid-3/helpers/external_acl/kerberos_ldap_group/support_ldap.cc squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support_ldap.cc --- squid-3/helpers/external_acl/kerberos_ldap_group/support_ldap.cc 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2010-06-05 13:16:50.000000000 +0100 @@ -0,0 +1,1265 @@ +/* + * ----------------------------------------------------------------------------- + * + * Author: Markus Moeller (markus_moeller at compuserve.com) + * + * Copyright (C) 2007 Markus Moeller. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. + * + * ----------------------------------------------------------------------------- + */ + +#include "config.h" +#include "util.h" + +#ifdef HAVE_LDAP + +#include "support.h" +#ifdef HAVE_ERRNO_H +#include +#endif + +char *convert_domain_to_bind_path(char *domain); +char *escape_filter(char *filter); +int check_AD(struct main_args *margs, LDAP * ld); +int ldap_set_defaults(struct main_args *margs, LDAP * ld); +int ldap_set_ssl_defaults(struct main_args *margs); +LDAP *tool_ldap_open(struct main_args *margs, char *host, int port, char *ssl); + +#define CONNECT_TIMEOUT 2 +#define SEARCH_TIMEOUT 30 + +#define FILTER "(memberuid=%s)" +#define ATTRIBUTE "cn" +#define FILTER_UID "(uid=%s)" +#define FILTER_GID "(&(gidNumber=%s)(objectclass=posixgroup))" +#define ATTRIBUTE_GID "gidNumber" + +#define FILTER_AD "(samaccountname=%s)" +#define ATTRIBUTE_AD "memberof" + +int get_attributes(struct main_args *margs, LDAP * ld, LDAPMessage * res, const char *attribute /* IN */ , char ***out_val /* OUT (caller frees) */ ); +int search_group_tree(struct main_args *margs, LDAP * ld, char *bindp, char *ldap_group, char *group, int depth); + +#if defined(HAVE_SUN_LDAP_SDK) || defined(HAVE_MOZILLA_LDAP_SDK) +#ifdef HAVE_LDAP_REBINDPROC_CALLBACK + +#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +static LDAP_REBINDPROC_CALLBACK ldap_sasl_rebind; + +static int LDAP_CALL LDAP_CALLBACK +ldap_sasl_rebind( + LDAP * ld, + char **whop, + char **credp, + int *methodp, + int freeit, + void *params) +{ + struct ldap_creds *cp = (struct ldap_creds *) params; + whop = whop; + credp = credp; + methodp = methodp; + freeit = freeit; + return tool_sasl_bind(ld, cp->dn, cp->pw); +} +#endif + +static LDAP_REBINDPROC_CALLBACK ldap_simple_rebind; + +static int LDAP_CALL LDAP_CALLBACK +ldap_simple_rebind( + LDAP * ld, + char **whop, + char **credp, + int *methodp, + int freeit, + void *params) +{ + struct ldap_creds *cp = (struct ldap_creds *) params; + whop = whop; + credp = credp; + methodp = methodp; + freeit = freeit; + return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE); +} +#elif defined(HAVE_LDAP_REBIND_PROC) +#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +static LDAP_REBIND_PROC ldap_sasl_rebind; + +static int +ldap_sasl_rebind( + LDAP * ld, + LDAP_CONST char *url, + ber_tag_t request, + ber_int_t msgid, + void *params) +{ + struct ldap_creds *cp = (struct ldap_creds *) params; + url = url; + request = request; + msgid = msgid; + return tool_sasl_bind(ld, cp->dn, cp->pw); +} +#endif + +static LDAP_REBIND_PROC ldap_simple_rebind; + +static int +ldap_simple_rebind( + LDAP * ld, + LDAP_CONST char *url, + ber_tag_t request, + ber_int_t msgid, + void *params) +{ + struct ldap_creds *cp = (struct ldap_creds *) params; + url = url; + request = request; + msgid = msgid; + return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE); +} + +#elif defined(HAVE_LDAP_REBIND_FUNCTION) +#ifndef LDAP_REFERRALS +#define LDAP_REFERRALS +#endif +#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +static LDAP_REBIND_FUNCTION ldap_sasl_rebind; + +static int +ldap_sasl_rebind( + LDAP * ld, + char **whop, + char **credp, + int *methodp, + int freeit, + void *params) +{ + struct ldap_creds *cp = (struct ldap_creds *) params; + whop = whop; + credp = credp; + methodp = methodp; + freeit = freeit; + return tool_sasl_bind(ld, cp->dn, cp->pw); +} +#endif + +static LDAP_REBIND_FUNCTION ldap_simple_rebind; + +static int +ldap_simple_rebind( + LDAP * ld, + char **whop, + char **credp, + int *methodp, + int freeit, + void *params) +{ + struct ldap_creds *cp = (struct ldap_creds *) params; + whop = whop; + credp = credp; + methodp = methodp; + freeit = freeit; + return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE); +} +#else +#error "No rebind functione defined" +#endif +#else /* HAVE_SUN_LDAP_SDK */ +#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +static LDAP_REBIND_PROC ldap_sasl_rebind; + +static int +ldap_sasl_rebind( + LDAP * ld, + LDAP_CONST char *url, + ber_tag_t request, + ber_int_t msgid, + void *params) +{ + struct ldap_creds *cp = (struct ldap_creds *) params; + url = url; + request = request; + msgid = msgid; + return tool_sasl_bind(ld, cp->dn, cp->pw); +} +#endif + +static LDAP_REBIND_PROC ldap_simple_rebind; + +static int +ldap_simple_rebind( + LDAP * ld, + LDAP_CONST char *url, + ber_tag_t request, + ber_int_t msgid, + void *params) +{ + + struct ldap_creds *cp = (struct ldap_creds *) params; + url = url; + request = request; + msgid = msgid; + return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE); +} + +#endif +char * +convert_domain_to_bind_path(char *domain) +{ + char *dp, *bindp = NULL, *bp = NULL; + int i = 0; + + if (!domain) + return NULL; + + for (dp = domain; *dp; dp++) { + if (*dp == '.') + i++; + } + /* + * add dc= and + * replace . with ,dc= => new length = old length + #dots * 3 + 3 + */ + bindp = (char *) xmalloc(strlen(domain) + 3 + i * 3 + 1); + bp = bindp; + strcpy(bp, "dc="); + bp += 3; + for (dp = domain; *dp; dp++) { + if (*dp == '.') { + strcpy(bp, ",dc="); + bp += 4; + } else + *bp++ = *dp; + } + *bp = '\0'; + return bindp; +} + +char * +escape_filter(char *filter) +{ + int i; + char *ldap_filter_esc, *ldf; + + i = 0; + for (ldap_filter_esc = filter; *ldap_filter_esc; ldap_filter_esc++) { + if ((*ldap_filter_esc == '*') || + (*ldap_filter_esc == '(') || + (*ldap_filter_esc == ')') || + (*ldap_filter_esc == '\\')) + i = i + 3; + } + + ldap_filter_esc = (char *) xcalloc(strlen(filter) + i + 1, sizeof(char)); + ldf = ldap_filter_esc; + for (; *filter; filter++) { + if (*filter == '*') { + strcpy(ldf, "\\2a"); + ldf = ldf + 3; + } else if (*filter == '(') { + strcpy(ldf, "\\28"); + ldf = ldf + 3; + } else if (*filter == ')') { + strcpy(ldf, "\\29"); + ldf = ldf + 3; + } else if (*filter == '\\') { + strcpy(ldf, "\\5c"); + ldf = ldf + 3; + } else { + *ldf = *filter; + ldf++; + } + } + *ldf = '\0'; + + return ldap_filter_esc; +}; + +int +check_AD(struct main_args *margs, LDAP * ld) +{ + LDAPMessage *res; + char **attr_value = NULL; + struct timeval searchtime; + int max_attr = 0; + int j, rc = 0; + +#define FILTER_SCHEMA "(objectclass=*)" +#define ATTRIBUTE_SCHEMA "schemaNamingContext" +#define FILTER_SAM "(ldapdisplayname=samaccountname)" + + searchtime.tv_sec = SEARCH_TIMEOUT; + searchtime.tv_usec = 0; + + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Search ldap server with bind path \"\" and filter: %s\n", LogTime(), PROGRAM, FILTER_SCHEMA); + rc = ldap_search_ext_s(ld, (char *) "", LDAP_SCOPE_BASE, (char *) FILTER_SCHEMA, NULL, 0, + NULL, NULL, &searchtime, 0, &res); + + if (rc == LDAP_SUCCESS) + max_attr = get_attributes(margs, ld, res, ATTRIBUTE_SCHEMA, &attr_value); + + if (max_attr == 1) { + ldap_msgfree(res); + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, attr_value[0], FILTER_SAM); + rc = ldap_search_ext_s(ld, attr_value[0], LDAP_SCOPE_SUBTREE, (char *) FILTER_SAM, NULL, 0, + NULL, NULL, &searchtime, 0, &res); + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); + if (ldap_count_entries(ld, res) > 0) + margs->AD = 1; + } else { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Did not find ldap entry for subschemasubentry\n", LogTime(), PROGRAM); + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Determined ldap server %sas an Active Directory server\n", LogTime(), PROGRAM, margs->AD ? "" : "not "); + /* + * Cleanup + */ + if (attr_value) { + for (j = 0; j < max_attr; j++) { + xfree(attr_value[j]); + } + xfree(attr_value); + attr_value = NULL; + } + ldap_msgfree(res); + return rc; +} +int +search_group_tree(struct main_args *margs, LDAP * ld, char *bindp, char *ldap_group, char *group, int depth) +{ + LDAPMessage *res = NULL; + char **attr_value = NULL; + int max_attr = 0; + char *filter = NULL; + char *search_exp = NULL; + int j, rc = 0, retval = 0; + char *av = NULL, *avp = NULL; + int ldepth; + char *ldap_filter_esc = NULL; + struct timeval searchtime; + +#define FILTER_GROUP_AD "(&(%s)(objectclass=group))" +#define FILTER_GROUP "(&(memberuid=%s)(objectclass=posixgroup))" + + searchtime.tv_sec = SEARCH_TIMEOUT; + searchtime.tv_usec = 0; + + if (margs->AD) + filter = (char *) FILTER_GROUP_AD; + else + filter = (char *) FILTER_GROUP; + + ldap_filter_esc = escape_filter(ldap_group); + + search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); + snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); + + if (ldap_filter_esc) + xfree(ldap_filter_esc); + + if (depth > margs->mdepth) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Max search depth reached %d>%d\n", LogTime(), PROGRAM, depth, margs->mdepth); + return 0; + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Search ldap server with bind path %s and filter : %s\n", LogTime(), PROGRAM, bindp, search_exp); + rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, + search_exp, NULL, 0, + NULL, NULL, &searchtime, 0, &res); + if (search_exp) + xfree(search_exp); + + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind_s(ld); + return 0; + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); + + if (margs->AD) + max_attr = get_attributes(margs, ld, res, ATTRIBUTE_AD, &attr_value); + else + max_attr = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value); + + /* + * Compare group names + */ + retval = 0; + ldepth = depth + 1; + for (j = 0; j < max_attr; j++) { + + /* Compare first CN= value assuming it is the same as the group name itself */ + av = attr_value[j]; + if (!strncasecmp("CN=", av, 3)) { + av += 3; + if ((avp = strchr(av, ','))) { + *avp = '\0'; + } + } + if (margs->debug) { + int n; + fprintf(stderr, "%s| %s: DEBUG: Entry %d \"%s\" in hex UTF-8 is ", LogTime(), PROGRAM, j + 1, av); + for (n = 0; av[n] != '\0'; n++) + fprintf(stderr, "%02x", (unsigned char) av[n]); + fprintf(stderr, "\n"); + } + if (!strcasecmp(group, av)) { + retval = 1; + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Entry %d \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); + break; + } else { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Entry %d \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); + } + /* + * Do recursive group search + */ + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Perform recursive group search for group \"%s\"\n", LogTime(), PROGRAM, av); + av = attr_value[j]; + if (search_group_tree(margs, ld, bindp, av, group, ldepth)) { + retval = 1; + if (!strncasecmp("CN=", av, 3)) { + av += 3; + if ((avp = strchr(av, ','))) { + *avp = '\0'; + } + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Entry %d \"%s\" is member of group named \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); + else + break; + + } + } + + /* + * Cleanup + */ + if (attr_value) { + for (j = 0; j < max_attr; j++) { + xfree(attr_value[j]); + } + xfree(attr_value); + attr_value = NULL; + } + ldap_msgfree(res); + + return retval; +} + +int +ldap_set_defaults(struct main_args *margs, LDAP * ld) +{ + int val, rc = 0; +#ifdef LDAP_OPT_NETWORK_TIMEOUT + struct timeval tv; +#endif + val = LDAP_VERSION3; + rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &val); + if (rc != LDAP_SUCCESS) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Error while setting protocol version: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + return rc; + } + rc = ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); + if (rc != LDAP_SUCCESS) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Error while setting referrals off: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + return rc; + } +#ifdef LDAP_OPT_NETWORK_TIMEOUT + tv.tv_sec = CONNECT_TIMEOUT; + tv.tv_usec = 0; + rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); + if (rc != LDAP_SUCCESS) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Error while setting network timeout: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + return rc; + } +#endif /* LDAP_OPT_NETWORK_TIMEOUT */ + return LDAP_SUCCESS; +} + +int +ldap_set_ssl_defaults(struct main_args *margs) +{ +#if defined(HAVE_OPENLDAP) || defined(HAVE_LDAPSSL_CLIENT_INIT) + int rc = 0; +#endif +#ifdef HAVE_OPENLDAP + int val; + char *ssl_cacertfile = NULL; + int free_path; +#elif defined(HAVE_LDAPSSL_CLIENT_INIT) + char *ssl_certdbpath = NULL; +#endif + +#ifdef HAVE_OPENLDAP + if (!margs->rc_allow) { + ssl_cacertfile = getenv("TLS_CACERTFILE"); + free_path = 0; + if (!ssl_cacertfile) { + ssl_cacertfile = xstrdup("/etc/ssl/certs/cert.pem"); + free_path = 1; + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Set certificate file for ldap server to %s.(Changeable through setting environment variable TLS_CACERTFILE)\n", LogTime(), PROGRAM, ssl_cacertfile); + rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ssl_cacertfile); + if (ssl_cacertfile && free_path) { + xfree(ssl_cacertfile); + ssl_cacertfile = NULL; + } + if (rc != LDAP_OPT_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_CACERTFILE for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + return rc; + } + } else { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Disable server certificate check for ldap server.\n", LogTime(), PROGRAM); + val = LDAP_OPT_X_TLS_ALLOW; + rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &val); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_REQUIRE_CERT ALLOW for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + return rc; + } + } +#elif defined(HAVE_LDAPSSL_CLIENT_INIT) + /* + * Solaris SSL ldap calls require path to certificate database + */ +/* + * rc = ldapssl_client_init( ssl_certdbpath, NULL ); + * rc = ldapssl_advclientauth_init( ssl_certdbpath, NULL , 0 , NULL, NULL, 0, NULL, 2); + */ + ssl_certdbpath = getenv("SSL_CERTDBPATH"); + if (!ssl_certdbpath) { + ssl_certdbpath = xstrdup("/etc/certs"); + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Set certificate database path for ldap server to %s.(Changeable through setting environment variable SSL_CERTDBPATH)\n", LogTime(), PROGRAM, ssl_certdbpath); + if (!margs->rc_allow) { + rc = ldapssl_advclientauth_init(ssl_certdbpath, NULL, 0, NULL, NULL, 0, NULL, 2); + } else { + rc = ldapssl_advclientauth_init(ssl_certdbpath, NULL, 0, NULL, NULL, 0, NULL, 0); + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Disable server certificate check for ldap server.\n", LogTime(), PROGRAM); + } + if (ssl_certdbpath) { + xfree(ssl_certdbpath); + ssl_certdbpath = NULL; + } + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc)); + return rc; + } +#else + fprintf(stderr, "%s| %s: ERROR: SSL not supported by ldap library\n", LogTime(), PROGRAM); +#endif + return LDAP_SUCCESS; +} + +int +get_attributes(struct main_args *margs, LDAP * ld, LDAPMessage * res, const char *attribute, char ***ret_value) +{ + + LDAPMessage *msg; + char **attr_value = NULL; + int max_attr = 0; + + attr_value = *ret_value; + /* + * loop over attributes + */ + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Search ldap entries for attribute : %s\n", LogTime(), PROGRAM, attribute); + for (msg = ldap_first_entry(ld, res); msg; msg = ldap_next_entry(ld, msg)) { + + BerElement *b; + char *attr; + + switch (ldap_msgtype(msg)) { + + case LDAP_RES_SEARCH_ENTRY: + + for (attr = ldap_first_attribute(ld, msg, &b); attr; + attr = ldap_next_attribute(ld, msg, b)) { + if (strcasecmp(attr, attribute) == 0) { + struct berval **values; + int il; + + if ((values = ldap_get_values_len(ld, msg, attr)) != NULL) { + for (il = 0; values[il] != NULL; il++) { + + attr_value = (char **) xrealloc(attr_value, (il + 1) * sizeof(char *)); + if (!attr_value) + break; + + attr_value[il] = (char *) xmalloc(values[il]->bv_len + 1); + memcpy(attr_value[il], values[il]->bv_val, values[il]->bv_len); + attr_value[il][values[il]->bv_len] = 0; + } + max_attr = il; + } + ber_bvecfree(values); + } + ldap_memfree(attr); + } + ber_free(b, 0); + break; + case LDAP_RES_SEARCH_REFERENCE: + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Received a search reference message\n", LogTime(), PROGRAM); + break; + case LDAP_RES_SEARCH_RESULT: + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Received a search result message\n", LogTime(), PROGRAM); + break; + default: + break; + } + } + + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: %d ldap entr%s found with attribute : %s\n", LogTime(), PROGRAM, max_attr, max_attr > 1 || max_attr == 0 ? "ies" : "y", attribute); + + *ret_value = attr_value; + return max_attr; +} + +/* + * call to open ldap server with or without SSL + */ +LDAP * +tool_ldap_open(struct main_args * margs, char *host, int port, char *ssl) +{ + LDAP *ld; +#ifdef HAVE_OPENLDAP + LDAPURLDesc *url = NULL; + char *ldapuri = NULL; +#endif + int rc = 0; + + /* + * Use ldap open here to check if TCP connection is possible. If possible use it. + * (Not sure if this is the best way) + */ +#ifdef HAVE_OPENLDAP + url = (LDAPURLDesc *) xmalloc(sizeof(*url)); + memset(url, 0, sizeof(*url)); +#ifdef HAVE_LDAP_URL_LUD_SCHEME + if (ssl) + url->lud_scheme = (char *) "ldaps"; + else + url->lud_scheme = (char *) "ldap"; +#endif + url->lud_host = host; + url->lud_port = port; +#ifdef HAVE_LDAP_SCOPE_DEFAULT + url->lud_scope = LDAP_SCOPE_DEFAULT; +#else + url->lud_scope = LDAP_SCOPE_SUBTREE; +#endif +#ifdef HAVE_LDAP_URL_DESC2STR + ldapuri = ldap_url_desc2str(url); +#elif defined(HAVE_LDAP_URL_PARSE) + rc = ldap_url_parse(ldapuri, &url); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + if (ldapuri) + xfree(ldapuri); + if (url) + xfree(url); + return NULL; + } +#else +#error "No URL parsing function" +#endif + if (url) { + xfree(url); + url = NULL; + } + rc = ldap_initialize(&ld, ldapuri); + if (ldapuri) + xfree(ldapuri); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + return NULL; + } +#else + ld = ldap_init(host, port); +#endif + rc = ldap_set_defaults(margs, ld); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + return NULL; + } + if (ssl) { + /* + * Try Start TLS first + */ + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Set SSL defaults\n", LogTime(), PROGRAM); + rc = ldap_set_ssl_defaults(margs); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error while setting SSL default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + return NULL; + } +#ifdef HAVE_OPENLDAP + /* + * Use tls if possible + */ + rc = ldap_start_tls_s(ld, NULL, NULL); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error while setting start_tls for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + url = (LDAPURLDesc *) xmalloc(sizeof(*url)); + memset(url, 0, sizeof(*url)); +#ifdef HAVE_LDAP_URL_LUD_SCHEME + url->lud_scheme = (char *) "ldaps"; +#endif + url->lud_host = host; + url->lud_port = port; +#ifdef HAVE_LDAP_SCOPE_DEFAULT + url->lud_scope = LDAP_SCOPE_DEFAULT; +#else + url->lud_scope = LDAP_SCOPE_SUBTREE; +#endif +#ifdef HAVE_LDAP_URL_DESC2STR + ldapuri = ldap_url_desc2str(url); +#elif defined(HAVE_LDAP_URL_PARSE) + rc = ldap_url_parse(ldapuri, &url); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + if (ldapuri) + xfree(ldapuri); + if (url) + xfree(url); + return NULL; + } +#else +#error "No URL parsing function" +#endif + if (url) { + xfree(url); + url = NULL; + } + rc = ldap_initialize(&ld, ldapuri); + if (ldapuri) + xfree(ldapuri); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + return NULL; + } + rc = ldap_set_defaults(margs, ld); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + return NULL; + } + } +#elif defined(HAVE_LDAPSSL_CLIENT_INIT) + ld = ldapssl_init(host, port, 1); + if (!ld) { + fprintf(stderr, "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + return NULL; + } + rc = ldap_set_defaults(margs, ld); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + return NULL; + } +#else + fprintf(stderr, "%s| %s: ERROR: SSL not supported by ldap library\n", LogTime(), PROGRAM); +#endif + } + return ld; +} + +/* + * ldap calls to get attribute from Ldap Directory Server + */ +int +get_memberof(struct main_args *margs, char *user, char *domain, char *group) +{ + LDAP *ld = NULL; + LDAPMessage *res; +#ifndef HAVE_SUN_LDAP_SDK + int ldap_debug = 0; +#endif + struct ldap_creds *lcreds = NULL; + char *bindp = NULL; + char *filter = NULL; + char *search_exp; + struct timeval searchtime; + int i, j, rc = 0, kc = 1; + int retval; + char **attr_value = NULL; + char *av = NULL, *avp = NULL; + int max_attr = 0; + struct hstruct *hlist = NULL; + int nhosts = 0; + char *hostname; + char *host; + int port; + char *ssl = NULL; + char *p; + char *ldap_filter_esc = NULL; + + + searchtime.tv_sec = SEARCH_TIMEOUT; + searchtime.tv_usec = 0; + /* + * Fill Kerberos memory cache with credential from keytab for SASL/GSSAPI + */ + if (domain) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Setup Kerberos credential cache\n", LogTime(), PROGRAM); + + kc = krb5_create_cache(margs, domain); + if (kc) { + fprintf(stderr, "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM); + } + } + if (kc && (!margs->lurl || !margs->luser | !margs->lpass)) { + /* + * If Kerberos fails and no url given exit here + */ + retval = 0; + goto cleanup; + } +#ifndef HAVE_SUN_LDAP_SDK + /* + * Initialise ldap + */ + ldap_debug = 127 /* LDAP_DEBUG_TRACE */ ; + ldap_debug = -1 /* LDAP_DEBUG_ANY */ ; + ldap_debug = 0; + (void) ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_debug); +#endif + + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Initialise ldap connection\n", LogTime(), PROGRAM); + + + if (domain && !kc) { + if (margs->ssl) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Enable SSL to ldap servers\n", LogTime(), PROGRAM); + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Canonicalise ldap server name for domain %s\n", LogTime(), PROGRAM, domain); + /* + * Loop over list of ldap servers of users domain + */ + nhosts = get_ldap_hostname_list(margs, &hlist, 0, domain); + for (i = 0; i < nhosts; i++) { + port = 389; + if (hlist[i].port != -1) + port = hlist[i].port; + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Setting up connection to ldap server %s:%d\n", LogTime(), PROGRAM, hlist[i].host, port); + + ld = tool_ldap_open(margs, hlist[i].host, port, margs->ssl); + if (!ld) + continue; + + /* + * ldap bind with SASL/GSSAPI authentication (only possible if a domain was part of the username) + */ + +#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Bind to ldap server with SASL/GSSAPI\n", LogTime(), PROGRAM); + + rc = tool_sasl_bind(ld, bindp, margs->ssl); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error while binding to ldap server with SASL/GSSAPI: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + continue; + } + lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds)); + lcreds->dn = bindp ? xstrdup(bindp) : NULL; + lcreds->pw = margs->ssl ? xstrdup(margs->ssl) : NULL; + ldap_set_rebind_proc(ld, ldap_sasl_rebind, (char *) lcreds); + if (ld != NULL) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: %s initialised %sconnection to ldap server %s:%d\n", LogTime(), PROGRAM, ld ? "Successfully" : "Failed to", margs->ssl ? "SSL protected " : "", hlist[i].host, port); + break; + } +#else + ldap_unbind(ld); + ld = NULL; + fprintf(stderr, "%s| %s: ERROR: SASL not supported on system\n", LogTime(), PROGRAM); + continue; +#endif + } + nhosts = free_hostname_list(&hlist, nhosts); + if (ld == NULL) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Error during initialisation of ldap connection: %s\n", LogTime(), PROGRAM, strerror(errno)); + } + bindp = convert_domain_to_bind_path(domain); + } + if ((!domain || !ld) && margs->lurl && strstr(margs->lurl, "://")) { + /* + * If username does not contain a domain and a url was given then try it + */ + hostname = strstr(margs->lurl, "://") + 3; + ssl = strstr(margs->lurl, "ldaps://"); + if (ssl) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Enable SSL to ldap servers\n", LogTime(), PROGRAM); + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Canonicalise ldap server name %s\n", LogTime(), PROGRAM, hostname); + /* + * Loop over list of ldap servers + */ + host = xstrdup(hostname); + port = 389; + if ((p = strchr(host, ':'))) { + *p = '\0'; + p++; + port = atoi(p); + } + nhosts = get_hostname_list(margs, &hlist, 0, host); + if (host) + xfree(host); + host = NULL; + for (i = 0; i < nhosts; i++) { + + ld = tool_ldap_open(margs, hlist[i].host, port, ssl); + if (!ld) + continue; + /* + * ldap bind with username/password authentication + */ + + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Bind to ldap server with Username/Password\n", LogTime(), PROGRAM); + rc = ldap_simple_bind_s(ld, margs->luser, margs->lpass); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error while binding to ldap server with Username/Password: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + continue; + } + lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds)); + lcreds->dn = xstrdup(margs->luser); + lcreds->pw = xstrdup(margs->lpass); + ldap_set_rebind_proc(ld, ldap_simple_rebind, (char *) lcreds); + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: %s set up %sconnection to ldap server %s:%d\n", LogTime(), PROGRAM, ld ? "Successfully" : "Failed to", ssl ? "SSL protected " : "", hlist[i].host, port); + break; + + } + nhosts = free_hostname_list(&hlist, nhosts); + if (bindp) + xfree(bindp); + if (margs->lbind) { + bindp = xstrdup(margs->lbind); + } else { + bindp = convert_domain_to_bind_path(domain); + } + } + if (ld == NULL) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Error during initialisation of ldap connection: %s\n", LogTime(), PROGRAM, strerror(errno)); + retval = 0; + goto cleanup; + } + /* + * ldap search for user + */ + /* + * Check if server is AD by querying for attribute samaccountname + */ + margs->AD = 0; + rc = check_AD(margs, ld); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error determining ldap server type: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + retval = 0; + goto cleanup; + } + if (margs->AD) + filter = (char *) FILTER_AD; + else + filter = (char *) FILTER; + + ldap_filter_esc = escape_filter(user); + + search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); + snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); + + if (ldap_filter_esc) + xfree(ldap_filter_esc); + + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Search ldap server with bind path %s and filter : %s\n", LogTime(), PROGRAM, bindp, search_exp); + rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, + search_exp, NULL, 0, + NULL, NULL, &searchtime, 0, &res); + if (search_exp) + xfree(search_exp); + + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + retval = 0; + goto cleanup; + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); + + if (ldap_count_entries(ld, res) != 0) { + + if (margs->AD) + max_attr = get_attributes(margs, ld, res, ATTRIBUTE_AD, &attr_value); + else { + max_attr = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value); + } + + /* + * Compare group names + */ + retval = 0; + for (j = 0; j < max_attr; j++) { + + /* Compare first CN= value assuming it is the same as the group name itself */ + av = attr_value[j]; + if (!strncasecmp("CN=", av, 3)) { + av += 3; + if ((avp = strchr(av, ','))) { + *avp = '\0'; + } + } + if (margs->debug) { + int n; + fprintf(stderr, "%s| %s: DEBUG: Entry %d \"%s\" in hex UTF-8 is ", LogTime(), PROGRAM, j + 1, av); + for (n = 0; av[n] != '\0'; n++) + fprintf(stderr, "%02x", (unsigned char) av[n]); + fprintf(stderr, "\n"); + } + if (!strcasecmp(group, av)) { + retval = 1; + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Entry %d \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); + else + break; + } else { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Entry %d \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); + } + } + /* + * Do recursive group search for AD only since posixgroups can not contain other groups + */ + if (!retval && margs->AD) { + if (margs->debug && max_attr > 0) + fprintf(stderr, "%s| %s: DEBUG: Perform recursive group search\n", LogTime(), PROGRAM); + for (j = 0; j < max_attr; j++) { + + av = attr_value[j]; + if (search_group_tree(margs, ld, bindp, av, group, 1)) { + retval = 1; + if (!strncasecmp("CN=", av, 3)) { + av += 3; + if ((avp = strchr(av, ','))) { + *avp = '\0'; + } + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Entry %d group \"%s\" is (in)direct member of group \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); + else + break; + } + } + } + /* + * Cleanup + */ + if (attr_value) { + for (j = 0; j < max_attr; j++) { + xfree(attr_value[j]); + } + xfree(attr_value); + attr_value = NULL; + } + ldap_msgfree(res); + } else if (ldap_count_entries(ld, res) == 0 && margs->AD) { + ldap_msgfree(res); + ldap_unbind(ld); + ld = NULL; + retval = 0; + goto cleanup; + } else { + ldap_msgfree(res); + retval = 0; + } + + if (!margs->AD && retval == 0) { + /* + * Check for primary Group membership + */ + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Search for primary group membership: \"%s\"\n", LogTime(), PROGRAM, group); + filter = (char *) FILTER_UID; + + ldap_filter_esc = escape_filter(user); + + search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); + snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); + + if (ldap_filter_esc) + xfree(ldap_filter_esc); + + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp); + rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, + search_exp, NULL, 0, + NULL, NULL, &searchtime, 0, &res); + if (search_exp) + xfree(search_exp); + + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); + + max_attr = get_attributes(margs, ld, res, ATTRIBUTE_GID, &attr_value); + + if (max_attr == 1) { + char **attr_value_2 = NULL; + int max_attr_2 = 0; + + ldap_msgfree(res); + filter = (char *) FILTER_GID; + + ldap_filter_esc = escape_filter(attr_value[0]); + + search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); + snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); + + if (ldap_filter_esc) + xfree(ldap_filter_esc); + + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp); + rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, + search_exp, NULL, 0, + NULL, NULL, &searchtime, 0, &res); + if (search_exp) + xfree(search_exp); + + max_attr_2 = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value_2); + /* + * Compare group names + */ + retval = 0; + if (max_attr_2 == 1) { + + /* Compare first CN= value assuming it is the same as the group name itself */ + av = attr_value_2[0]; + if (!strcasecmp(group, av)) { + retval = 1; + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, av, group); + } else { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, av, group); + } + + } + /* + * Cleanup + */ + if (attr_value_2) { + for (j = 0; j < max_attr_2; j++) { + xfree(attr_value_2[j]); + } + xfree(attr_value_2); + attr_value_2 = NULL; + } + ldap_msgfree(res); + + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Users primary group %s %s\n", LogTime(), PROGRAM, retval ? "matches" : "does not match", group); + + } else { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Did not find ldap entry for group %s\n", LogTime(), PROGRAM, group); + } + /* + * Cleanup + */ + if (attr_value) { + for (j = 0; j < max_attr; j++) { + xfree(attr_value[j]); + } + xfree(attr_value); + attr_value = NULL; + } + } + rc = ldap_unbind(ld); + ld = NULL; + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Error unbind ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Unbind ldap server\n", LogTime(), PROGRAM); + cleanup: + if (domain) + krb5_cleanup(); + if (lcreds) { + if (lcreds->dn) + xfree(lcreds->dn); + if (lcreds->pw) + xfree(lcreds->pw); + xfree(lcreds); + } + if (bindp) + xfree(bindp); + bindp = NULL; + return (retval); + +} +#endif diff -Nur squid-3/helpers/external_acl/kerberos_ldap_group/support_log.cc squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support_log.cc --- squid-3/helpers/external_acl/kerberos_ldap_group/support_log.cc 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support_log.cc 2010-06-05 13:16:50.000000000 +0100 @@ -0,0 +1,50 @@ +/* + * ----------------------------------------------------------------------------- + * + * Author: Markus Moeller (markus_moeller at compuserve.com) + * + * Copyright (C) 2007 Markus Moeller. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. + * + * ----------------------------------------------------------------------------- + */ + +#include "config.h" + +#ifdef HAVE_LDAP + +#include "support.h" +#ifdef HAVE_TIME_H +#include +#endif + +const char * +LogTime() +{ + struct tm *tm; + struct timeval now; + static time_t last_t = 0; + static char buf[128]; + + gettimeofday(&now, NULL); + if (now.tv_sec != last_t) { + tm = localtime(&now.tv_sec); + strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm); + last_t = now.tv_sec; + } + return buf; +} +#endif diff -Nur squid-3/helpers/external_acl/kerberos_ldap_group/support_member.cc squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support_member.cc --- squid-3/helpers/external_acl/kerberos_ldap_group/support_member.cc 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support_member.cc 2010-06-05 13:16:50.000000000 +0100 @@ -0,0 +1,132 @@ +/* + * ----------------------------------------------------------------------------- + * + * Author: Markus Moeller (markus_moeller at compuserve.com) + * + * Copyright (C) 2007 Markus Moeller. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. + * + * ----------------------------------------------------------------------------- + */ + +#include "config.h" +#include "util.h" + +#ifdef HAVE_LDAP + +#include "support.h" + +int +check_memberof(struct main_args *margs, char *user, char *domain) +{ + + /* + * Check order: + * + * 1. Check domain against list of groups per domain + * 1a. If domain does not exist in list try default domain + * 1b. If default domain does not exist use default group against ldap url with user/password + * 1c. If default group does not exist exit with error. + * 2. Query ldap membership + * 2a. Use GSSAPI/SASL with HTTP/fqdn@DOMAIN credentials from keytab + * 2b. Use username/password with TLS + * + */ + struct gdstruct *gr; + int found = 0; + + + /* Check users domain */ + + gr = margs->groups; + while (gr && domain) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: User domain loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL"); + if (gr->domain && !strcasecmp(gr->domain, domain)) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain); + /* query ldap */ + if (get_memberof(margs, user, domain, gr->group)) { + if (margs->debug || margs->log) + fprintf(stderr, "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); + found++; + break; + } else { + if (margs->debug || margs->log) + fprintf(stderr, "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); + } + } + gr = gr->next; + } + + if (found) + return (1); + + /* Check default domain */ + + gr = margs->groups; + while (gr && domain) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Default domain loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL"); + if (gr->domain && !strcasecmp(gr->domain, "")) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain); + /* query ldap */ + if (get_memberof(margs, user, domain, gr->group)) { + if (margs->debug || margs->log) + fprintf(stderr, "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); + found++; + break; + } else { + if (margs->debug || margs->log) + fprintf(stderr, "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); + } + } + gr = gr->next; + } + + if (found) + return (1); + + /* Check default group with ldap url */ + + gr = margs->groups; + while (gr) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Default group loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL"); + if (!gr->domain) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL"); + /* query ldap */ + if (get_memberof(margs, user, domain, gr->group)) { + if (margs->debug || margs->log) + fprintf(stderr, "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL"); + found++; + break; + } else { + if (margs->debug || margs->log) + fprintf(stderr, "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL"); + } + } + gr = gr->next; + } + + if (found) + return (1); + + return (0); +} +#endif diff -Nur squid-3/helpers/external_acl/kerberos_ldap_group/support_netbios.cc squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support_netbios.cc --- squid-3/helpers/external_acl/kerberos_ldap_group/support_netbios.cc 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support_netbios.cc 2010-06-05 13:16:50.000000000 +0100 @@ -0,0 +1,163 @@ +/* + * ----------------------------------------------------------------------------- + * + * Author: Markus Moeller (markus_moeller at compuserve.com) + * + * Copyright (C) 2007 Markus Moeller. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. + * + * ----------------------------------------------------------------------------- + */ + +#include "config.h" +#include "util.h" + +#ifdef HAVE_LDAP + +#include "support.h" + +struct ndstruct *init_nd(void); + +struct ndstruct * +init_nd(void) +{ + struct ndstruct *ndsp; + ndsp = (struct ndstruct *) xmalloc(sizeof(struct ndstruct)); + ndsp->netbios = NULL; + ndsp->domain = NULL; + ndsp->next = NULL; + return ndsp; +} + +int +create_nd(struct main_args *margs) +{ + char *np, *dp; + char *p; + struct ndstruct *ndsp = NULL, *ndspn = NULL; + /* + * netbios list format: + * + * nlist=Pattern1[:Pattern2] + * + * Pattern=NetbiosName@Domain Netbios Name for a specific Kerberos domain + * ndstruct.domain=Domain, ndstruct.netbios=NetbiosName + * + * + */ + p = margs->nlist; + np = margs->nlist; + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Netbios list %s\n", LogTime(), PROGRAM, margs->nlist ? margs->nlist : "NULL"); + dp = NULL; + + if (!p) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: No netbios names defined.\n", LogTime(), PROGRAM); + return (0); + } + while (*p) { /* loop over group list */ + if (*p == '\n' || *p == '\r') { /* Ignore CR and LF if exist */ + p++; + continue; + } + if (*p == '@') { /* end of group name - start of domain name */ + if (p == np) { /* empty group name not allowed */ + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p); + return (1); + } + *p = '\0'; + p++; + ndsp = init_nd(); + ndsp->netbios = xstrdup(np); + if (ndspn) /* Have already an existing structure */ + ndsp->next = ndspn; + dp = p; /* after @ starts new domain name */ + } else if (*p == ':') { /* end of group name or end of domain name */ + if (p == np) { /* empty group name not allowed */ + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p); + return (1); + } + *p = '\0'; + p++; + if (dp) { /* end of domain name */ + ndsp->domain = xstrdup(dp); + dp = NULL; + } else { /* end of group name and no domain name */ + ndsp = init_nd(); + ndsp->netbios = xstrdup(np); + if (ndspn) /* Have already an existing structure */ + ndsp->next = ndspn; + } + ndspn = ndsp; + np = p; /* after : starts new group name */ + if (!ndsp->domain || !strcmp(ndsp->domain, "")) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: No domain defined for netbios name %s\n", LogTime(), PROGRAM, ndsp->netbios); + return (1); + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Netbios name %s Domain %s\n", LogTime(), PROGRAM, ndsp->netbios, ndsp->domain); + } else + p++; + } + if (p == np) { /* empty group name not allowed */ + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p); + return (1); + } + if (dp) { /* end of domain name */ + ndsp->domain = xstrdup(dp); + } else { /* end of group name and no domain name */ + ndsp = init_nd(); + ndsp->netbios = xstrdup(np); + if (ndspn) /* Have already an existing structure */ + ndsp->next = ndspn; + } + if (!ndsp->domain || !strcmp(ndsp->domain, "")) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: No domain defined for netbios name %s\n", LogTime(), PROGRAM, ndsp->netbios); + return (1); + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Netbios name %s Domain %s\n", LogTime(), PROGRAM, ndsp->netbios, ndsp->domain); + + margs->ndoms = ndsp; + return (0); +} + +char * +get_netbios_name(struct main_args *margs, char *netbios) +{ + struct ndstruct *nd; + + nd = margs->ndoms; + while (nd && netbios) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Netbios domain loop: netbios@domain %s@%s\n", LogTime(), PROGRAM, nd->netbios, nd->domain); + if (nd->netbios && !strcasecmp(nd->netbios, netbios)) { + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Found netbios@domain %s@%s\n", LogTime(), PROGRAM, nd->netbios, nd->domain); + return (nd->domain); + } + nd = nd->next; + } + + return NULL; +} +#endif diff -Nur squid-3/helpers/external_acl/kerberos_ldap_group/support_resolv.cc squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support_resolv.cc --- squid-3/helpers/external_acl/kerberos_ldap_group/support_resolv.cc 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support_resolv.cc 2010-06-05 13:16:50.000000000 +0100 @@ -0,0 +1,423 @@ +/* + * ----------------------------------------------------------------------------- + * + * Author: Markus Moeller (markus_moeller at compuserve.com) + * + * Copyright (C) 2007 Markus Moeller. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. + * + * ----------------------------------------------------------------------------- + */ + +#include "config.h" +#include "util.h" + +#ifdef HAVE_LDAP + +#include "support.h" +#ifdef HAVE_ERRNO_H +#include +#endif +#ifdef HAVE_NETDB_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_RESOLV_H +#include +#endif +#ifdef HAVE_ARPA_NAMESER_H +#include +#endif + +void nsError(int error, char *server); +static int compare_hosts(struct hstruct *h1, struct hstruct *h2); +static void swap(struct hstruct *a, struct hstruct *b); +static void sort(struct hstruct *array, int nitems, int (*cmp) (struct hstruct *, struct hstruct *), int begin, int end); +static void msort(struct hstruct *array, size_t nitems, int (*cmp) (struct hstruct *, struct hstruct *)); + +/* + * See http://www.ietf.org/rfc/rfc1035.txt + */ +/* + * See http://www.ietf.org/rfc/rfc2782.txt + * + */ +void +nsError(int error, char *service) +{ + switch (error) { + case HOST_NOT_FOUND: + fprintf(stderr, "%s| %s: ERROR: res_search: Unknown service record: %s\n", LogTime(), PROGRAM, service); + break; + case NO_DATA: + fprintf(stderr, "%s| %s: ERROR: res_search: No SRV record for %s\n", LogTime(), PROGRAM, service); + break; + case TRY_AGAIN: + fprintf(stderr, "%s| %s: ERROR: res_search: No response for SRV query\n", LogTime(), PROGRAM); + break; + default: + fprintf(stderr, "%s| %s: ERROR: res_search: Unexpected error: %s\n", LogTime(), PROGRAM, strerror(error)); + } +} + +static void +swap(struct hstruct *a, struct hstruct *b) +{ + struct hstruct c; + + c.host = a->host; + c.priority = a->priority; + c.weight = a->weight; + a->priority = b->priority; + a->weight = b->weight; + b->host = c.host; + b->priority = c.priority; + b->weight = c.weight; +} + +static void +sort(struct hstruct *array, int nitems, int (*cmp) (struct hstruct *, struct hstruct *), int begin, int end) +{ + if (end > begin) { + int pivot = begin; + int l = begin + 1; + int r = end; + while (l < r) { + if (cmp(&array[l], &array[pivot]) <= 0) { + l += 1; + } else { + r -= 1; + swap(&array[l], &array[r]); + } + } + l -= 1; + swap(&array[begin], &array[l]); + sort(array, nitems, cmp, begin, l); + sort(array, nitems, cmp, r, end); + } +} + +static void +msort(struct hstruct *array, size_t nitems, int (*cmp) (struct hstruct *, struct hstruct *)) +{ + sort(array, nitems, cmp, 0, nitems - 1); +} + +static int +compare_hosts(struct hstruct *host1, struct hstruct *host2) +{ + /* + * + * The comparison function must return an integer less than, equal to, + * or greater than zero if the first argument is considered to be + * respectively less than, equal to, or greater than the second. + */ + if ((host1->priority < host2->priority) && (host1->priority != -1)) + return -1; + if ((host1->priority < host2->priority) && (host1->priority == -1)) + return 1; + if ((host1->priority > host2->priority) && (host2->priority != -1)) + return 1; + if ((host1->priority > host2->priority) && (host2->priority == -1)) + return -1; + if (host1->priority == host2->priority) { + if (host1->weight > host2->weight) + return -1; + if (host1->weight < host2->weight) + return 1; + } + return 0; +} + +int +free_hostname_list(struct hstruct **hlist, int nhosts) +{ + struct hstruct *hp = NULL; + int i; + + hp = *hlist; + for (i = 0; i < nhosts; i++) { + if (hp[i].host) + xfree(hp[i].host); + hp[i].host = NULL; + } + + + if (hp) + xfree(hp); + hp = NULL; + *hlist = hp; + return 0; +} + +int +get_hostname_list(struct main_args *margs, struct hstruct **hlist, int nhosts, char *name) +{ + /* + char host[sysconf(_SC_HOST_NAME_MAX)]; + */ + char host[1024]; + struct addrinfo *hres = NULL, *hres_list; + int rc, count; + struct hstruct *hp = NULL; + + if (!name) + return (nhosts); + + hp = *hlist; + rc = getaddrinfo((const char *) name, NULL, NULL, &hres); + if (rc != 0) { + fprintf(stderr, "%s| %s: ERROR: Error while resolving hostname with getaddrinfo: %s\n", LogTime(), PROGRAM, gai_strerror(rc)); + return (nhosts); + } + hres_list = hres; + count = 0; + while (hres_list) { + count++; + hres_list = hres_list->ai_next; + } + hres_list = hres; + count = 0; + while (hres_list) { + rc = getnameinfo(hres_list->ai_addr, hres_list->ai_addrlen, host, sizeof(host), NULL, 0, 0); + if (rc != 0) { + fprintf(stderr, "%s| %s: ERROR: Error while resolving ip address with getnameinfo: %s\n", LogTime(), PROGRAM, gai_strerror(rc)); + freeaddrinfo(hres); + *hlist = hp; + return (nhosts); + } + count++; + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Resolved address %d of %s to %s\n", LogTime(), PROGRAM, count, name, host); + + hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nhosts + 1)); + hp[nhosts].host = xstrdup(host); + hp[nhosts].port = -1; + hp[nhosts].priority = -1; + hp[nhosts].weight = -1; + nhosts++; + + hres_list = hres_list->ai_next; + } + + freeaddrinfo(hres); + *hlist = hp; + return (nhosts); +} + +int +get_ldap_hostname_list(struct main_args *margs, struct hstruct **hlist, int nh, char *domain) +{ + + /* + char name[sysconf(_SC_HOST_NAME_MAX)]; + */ + char name[1024]; + char host[NS_MAXDNAME]; + char *service; + struct hstruct *hp = NULL; + int nhosts = 0; + int size; + int type, rdlength; + int priority, weight, port; + int len, olen; + int i, j, k; + u_char *buffer; + u_char *p; + + if (margs->ssl) { + service = (char *) xmalloc(strlen("_ldaps._tcp.") + strlen(domain) + 1); + strcpy(service, "_ldaps._tcp."); + } else { + service = (char *) xmalloc(strlen("_ldap._tcp.") + strlen(domain) + 1); + strcpy(service, "_ldap._tcp."); + } + strcat(service, domain); + +#ifndef PACKETSZ_MULT +/* + * It seems Solaris doesn't give back the real length back when res_search uses a to small buffer + * Set a bigger one here + */ +#define PACKETSZ_MULT 10 +#endif + + hp = *hlist; + buffer = (u_char *) xmalloc(PACKETSZ_MULT * NS_PACKETSZ); + if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, PACKETSZ_MULT * NS_PACKETSZ)) < 0) { + fprintf(stderr, "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service); + nsError(h_errno, service); + if (margs->ssl) { + xfree(service); + service = (char *) xmalloc(strlen("_ldap._tcp.") + strlen(domain) + 1); + strcpy(service, "_ldap._tcp."); + strcat(service, domain); + if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, PACKETSZ_MULT * NS_PACKETSZ)) < 0) { + fprintf(stderr, "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service); + nsError(h_errno, service); + goto cleanup; + } + } else { + goto cleanup; + } + } + if (len > PACKETSZ_MULT * NS_PACKETSZ) { + olen = len; + buffer = (u_char *) xrealloc(buffer, len); + if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, len)) < 0) { + fprintf(stderr, "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service); + nsError(h_errno, service); + goto cleanup; + } + if (len > olen) { + fprintf(stderr, "%s| %s: ERROR: Reply to big: buffer: %d reply length: %d\n", LogTime(), PROGRAM, olen, len); + goto cleanup; + } + } + p = buffer; + p += 6 * NS_INT16SZ; /* Header(6*16bit) = id + flags + 4*section count */ + if (p > buffer + len) { + fprintf(stderr, "%s| %s: ERROR: Message to small: %d < header size\n", LogTime(), PROGRAM, len); + goto cleanup; + } + if ((size = dn_expand(buffer, buffer + len, p, name, sysconf(_SC_HOST_NAME_MAX))) < 0) { + fprintf(stderr, "%s| %s: ERROR: Error while expanding query name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno)); + goto cleanup; + } + p += size; /* Query name */ + p += 2 * NS_INT16SZ; /* Query type + class (2*16bit) */ + if (p > buffer + len) { + fprintf(stderr, "%s| %s: ERROR: Message to small: %d < header + query name,type,class \n", LogTime(), PROGRAM, len); + goto cleanup; + } + while (p < buffer + len) { + if ((size = dn_expand(buffer, buffer + len, p, name, sysconf(_SC_HOST_NAME_MAX))) < 0) { + fprintf(stderr, "%s| %s: ERROR: Error while expanding answer name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno)); + goto cleanup; + } + p += size; /* Resource Record name */ + if (p > buffer + len) { + fprintf(stderr, "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name\n", LogTime(), PROGRAM, len); + goto cleanup; + } + NS_GET16(type, p); /* RR type (16bit) */ + p += NS_INT16SZ + NS_INT32SZ; /* RR class + ttl (16bit+32bit) */ + if (p > buffer + len) { + fprintf(stderr, "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name + RR type,class,ttl\n", LogTime(), PROGRAM, len); + goto cleanup; + } + NS_GET16(rdlength, p); /* RR data length (16bit) */ + + if (type == ns_t_srv) { /* SRV record */ + if (p > buffer + len) { + fprintf(stderr, "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name + RR type,class,ttl + RR data length\n", LogTime(), PROGRAM, len); + goto cleanup; + } + NS_GET16(priority, p); /* Priority (16bit) */ + if (p > buffer + len) { + fprintf(stderr, "%s| %s: ERROR: Message to small: %d < SRV RR + priority\n", LogTime(), PROGRAM, len); + goto cleanup; + } + NS_GET16(weight, p); /* Weight (16bit) */ + if (p > buffer + len) { + fprintf(stderr, "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight\n", LogTime(), PROGRAM, len); + goto cleanup; + } + NS_GET16(port, p); /* Port (16bit) */ + if (p > buffer + len) { + fprintf(stderr, "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight + port\n", LogTime(), PROGRAM, len); + goto cleanup; + } + if ((size = dn_expand(buffer, buffer + len, p, host, NS_MAXDNAME)) < 0) { + fprintf(stderr, "%s| %s: ERROR: Error while expanding SRV RR name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno)); + goto cleanup; + } + if (margs->debug) + fprintf(stderr, "%s| %s: DEBUG: Resolved SRV %s record to %s\n", LogTime(), PROGRAM, service, host); + hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nh + 1)); + hp[nh].host = xstrdup(host); + hp[nh].port = port; + hp[nh].priority = priority; + hp[nh].weight = weight; + nh++; + p += size; + } else { + p += rdlength; + } + if (p > buffer + len) { + fprintf(stderr, "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight + port + name\n", LogTime(), PROGRAM, len); + goto cleanup; + } + } + if (p != buffer + len) { +#if (SIZEOF_LONG == 8) + fprintf(stderr, "%s| %s: ERROR: Inconsistence message length: %ld!=0\n", LogTime(), PROGRAM, buffer + len - p); +#else + fprintf(stderr, "%s| %s: ERROR: Inconsistence message length: %d!=0\n", LogTime(), PROGRAM, buffer + len - p); +#endif + goto cleanup; + } + nhosts = get_hostname_list(margs, &hp, nh, domain); + + /* Remove duplicates */ + for (i = 0; i < nhosts; i++) { + for (j = i + 1; j < nhosts; j++) { + if (!strcasecmp(hp[i].host, hp[j].host)) { + if (hp[i].port == hp[j].port || + (hp[i].port == -1 && hp[j].port == 389) || + (hp[i].port == 389 && hp[j].port == -1)) { + xfree(hp[j].host); + for (k = j + 1; k < nhosts; k++) { + hp[k - 1].host = hp[k].host; + hp[k - 1].port = hp[k].port; + hp[k - 1].priority = hp[k].priority; + hp[k - 1].weight = hp[k].weight; + } + j--; + nhosts--; + hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nhosts + 1)); + } + } + } + } + + /* Sort by Priority / Weight */ + msort(hp, nhosts, compare_hosts); + + if (margs->debug) { + fprintf(stderr, "%s| %s: DEBUG: Sorted ldap server names for domain %s:\n", LogTime(), PROGRAM, domain); + for (i = 0; i < nhosts; i++) { + fprintf(stderr, "%s| %s: DEBUG: Host: %s Port: %d Priority: %d Weight: %d\n", LogTime(), PROGRAM, hp[i].host, hp[i].port, hp[i].priority, hp[i].weight); + } + } + if (buffer) + xfree(buffer); + if (service) + xfree(service); + *hlist = hp; + return (nhosts); + + cleanup: + if (buffer) + xfree(buffer); + if (service) + xfree(service); + *hlist = hp; + return (nhosts); +} +#endif diff -Nur squid-3/helpers/external_acl/kerberos_ldap_group/support_sasl.cc squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support_sasl.cc --- squid-3/helpers/external_acl/kerberos_ldap_group/support_sasl.cc 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/helpers/external_acl/kerberos_ldap_group/support_sasl.cc 2010-06-05 13:16:50.000000000 +0100 @@ -0,0 +1,300 @@ +/* + * ----------------------------------------------------------------------------- + * + * Author: Markus Moeller (markus_moeller at compuserve.com) + * + * Copyright (C) 2007 Markus Moeller. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. + * + * ----------------------------------------------------------------------------- + */ + +#include "config.h" +#include "util.h" + +#ifdef HAVE_LDAP + +#include "support.h" + +#ifdef HAVE_SASL_H +#include +#elif defined(HAVE_SASL_SASL_H) +#include +#elif defined(HAVE_SASL_DARWIN) +typedef struct sasl_interact { + unsigned long id; /* same as client/user callback ID */ + const char *challenge; /* presented to user (e.g. OTP challenge) */ + const char *prompt; /* presented to user (e.g. "Username: ") */ + const char *defresult; /* default result string */ + const void *result; /* set to point to result */ + unsigned len; /* set to length of result */ +} sasl_interact_t; + +#define SASL_CB_USER 0x4001 /* client user identity to login as */ +#define SASL_CB_AUTHNAME 0x4002 /* client authentication name */ +#define SASL_CB_PASS 0x4004 /* client passphrase-based secret */ +#define SASL_CB_ECHOPROMPT 0x4005 /* challenge and client enterred result */ +#define SASL_CB_NOECHOPROMPT 0x4006 /* challenge and client enterred result */ +#define SASL_CB_GETREALM 0x4008 /* realm to attempt authentication in */ +#define SASL_CB_LIST_END 0 /* end of list */ +#endif + +#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +void *lutil_sasl_defaults( + LDAP * ld, + char *mech, + char *realm, + char *authcid, + char *passwd, + char *authzid); + +int lutil_sasl_interact( + LDAP * ld, + unsigned flags, + void *defaults, + void *in); + +void lutil_sasl_freedefs( + void *defaults); + + +/* + * SASL definitions for openldap support + */ + + +typedef struct lutil_sasl_defaults_s { + char *mech; + char *realm; + char *authcid; + char *passwd; + char *authzid; + char **resps; + int nresps; +} lutilSASLdefaults; + +void * +lutil_sasl_defaults( + LDAP * ld, + char *mech, + char *realm, + char *authcid, + char *passwd, + char *authzid) +{ + lutilSASLdefaults *defaults; + + defaults = (lutilSASLdefaults *) xmalloc(sizeof(lutilSASLdefaults)); + + if (defaults == NULL) + return NULL; + + defaults->mech = mech ? xstrdup(mech) : NULL; + defaults->realm = realm ? xstrdup(realm) : NULL; + defaults->authcid = authcid ? xstrdup(authcid) : NULL; + defaults->passwd = passwd ? xstrdup(passwd) : NULL; + defaults->authzid = authzid ? xstrdup(authzid) : NULL; + + if (defaults->mech == NULL) { + ldap_get_option(ld, LDAP_OPT_X_SASL_MECH, &defaults->mech); + } + if (defaults->realm == NULL) { + ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &defaults->realm); + } + if (defaults->authcid == NULL) { + ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHCID, &defaults->authcid); + } + if (defaults->authzid == NULL) { + ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHZID, &defaults->authzid); + } + defaults->resps = NULL; + defaults->nresps = 0; + + return defaults; +} + +static int +interaction( + unsigned flags, + sasl_interact_t * interact, + lutilSASLdefaults * defaults) +{ + const char *dflt = interact->defresult; + + int noecho = 0; + int challenge = 0; + + flags = flags; + switch (interact->id) { + case SASL_CB_GETREALM: + if (defaults) + dflt = defaults->realm; + break; + case SASL_CB_AUTHNAME: + if (defaults) + dflt = defaults->authcid; + break; + case SASL_CB_PASS: + if (defaults) + dflt = defaults->passwd; + noecho = 1; + break; + case SASL_CB_USER: + if (defaults) + dflt = defaults->authzid; + break; + case SASL_CB_NOECHOPROMPT: + noecho = 1; + challenge = 1; + break; + case SASL_CB_ECHOPROMPT: + challenge = 1; + break; + } + + if (dflt && !*dflt) + dflt = NULL; + + /* input must be empty */ + interact->result = (dflt && *dflt) ? dflt : ""; + interact->len = (unsigned) strlen((const char *) interact->result); + + return LDAP_SUCCESS; +} + +int +lutil_sasl_interact( + LDAP * ld, + unsigned flags, + void *defaults, + void *in) +{ + sasl_interact_t *interact = (sasl_interact_t *) in; + + if (ld == NULL) + return LDAP_PARAM_ERROR; + + while (interact->id != SASL_CB_LIST_END) { + int rc = interaction(flags, interact, (lutilSASLdefaults *) defaults); + + if (rc) + return rc; + interact++; + } + + return LDAP_SUCCESS; +} + +void +lutil_sasl_freedefs( + void *defaults) +{ + lutilSASLdefaults *defs = (lutilSASLdefaults *) defaults; + + if (defs->mech) + xfree(defs->mech); + if (defs->realm) + xfree(defs->realm); + if (defs->authcid) + xfree(defs->authcid); + if (defs->passwd) + xfree(defs->passwd); + if (defs->authzid) + xfree(defs->authzid); + if (defs->resps) + xfree(defs->resps); + + xfree(defs); +} + +int +tool_sasl_bind(LDAP * ld, char *binddn, char *ssl) +{ + /* + * unsigned sasl_flags = LDAP_SASL_AUTOMATIC; + * unsigned sasl_flags = LDAP_SASL_QUIET; + */ + /* + * Avoid SASL messages + */ +#ifdef HAVE_SUN_LDAP_SDK + unsigned sasl_flags = LDAP_SASL_INTERACTIVE; +#else + unsigned sasl_flags = LDAP_SASL_QUIET; +#endif + char *sasl_realm = NULL; + char *sasl_authc_id = NULL; + char *sasl_authz_id = NULL; +#ifdef HAVE_SUN_LDAP_SDK + char *sasl_mech = (char *) "GSSAPI"; +#else + char *sasl_mech = NULL; +#endif + /* + * Force encryption + */ + char *sasl_secprops; + /* + * char *sasl_secprops = (char *)"maxssf=56"; + * char *sasl_secprops = NULL; + */ + struct berval passwd = + {0, NULL}; + void *defaults; + int rc = LDAP_SUCCESS; + + if (ssl) + sasl_secprops = (char *) "maxssf=0"; + else + sasl_secprops = (char *) "maxssf=56"; +/* sasl_secprops = (char *)"maxssf=0"; */ +/* sasl_secprops = (char *)"maxssf=56"; */ + + if (sasl_secprops != NULL) { + rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, + (void *) sasl_secprops); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: Could not set LDAP_OPT_X_SASL_SECPROPS: %s: %s\n", LogTime(), PROGRAM, sasl_secprops, ldap_err2string(rc)); + return rc; + } + } + defaults = lutil_sasl_defaults(ld, + sasl_mech, + sasl_realm, + sasl_authc_id, + passwd.bv_val, + sasl_authz_id); + + rc = ldap_sasl_interactive_bind_s(ld, binddn, + sasl_mech, NULL, NULL, + sasl_flags, lutil_sasl_interact, defaults); + + lutil_sasl_freedefs(defaults); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "%s| %s: ERROR: ldap_sasl_interactive_bind_s error: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + } + return rc; +} +#else +void dummy(void); +void +dummy(void) +{ + fprintf(stderr, "%s| %s: ERROR: Dummy function\n", LogTime(), PROGRAM); +} + +#endif +#endif diff -Nur squid-3/helpers/negotiate_auth/kerberos/config.test squid-3-krb5/helpers/negotiate_auth/kerberos/config.test --- squid-3/helpers/negotiate_auth/kerberos/config.test 2010-06-01 01:12:46.000000000 +0100 +++ squid-3-krb5/helpers/negotiate_auth/kerberos/config.test 2010-06-05 13:16:50.000000000 +0100 @@ -1,6 +1,6 @@ #!/bin/sh # Don't build without gssapi.h -if test -f /usr/include/gssapi/gssapi.h || test -f /usr/include/gssapi.h ; then +if test -f /usr/include/gssapi/gssapi.h || test -f /usr/include/gssapi.h || test -f /usr/include/kerberosV/gssapi.h ; then exit 0 fi exit 1 diff -Nur squid-3/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 squid-3-krb5/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 --- squid-3/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 2010-06-05 13:16:50.000000000 +0100 @@ -0,0 +1,132 @@ +.if !'po4a'hide' .TH negotiate_kerberos_auth 8 +. +.SH NAME +.if !'po4a'hide' .B negotiate_kerberos_auth +.if !'po4a'hide' \- +Squid kerberos based authentication helper +.PP +Version 3.0.2sq +. +.SH SYNOPSIS +.if !'po4a'hide' .B negotiate_kerberos_auth +.if !'po4a'hide' .B [\-h] [\-d] [\-i] [\-r] [\-s Service-Principal-Name] +. +.SH DESCRIPTION +.B negotiate_kerberos_auth +is an installed binary and allows Squid to authenticate users via the Negotiate +protocol and Kerberos. + +.SH OPTIONS +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-h +Display the binary help and command line syntax info using stderr. +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-d +Write debug messages to stderr. +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-i +Write informational messages to stderr. +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-r +Remove realm from username before returning the username to squid. +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-s Service-Principal-name +Provide Service Principal Name. +. +.SH CONFIGURATION +.PP See FAQ wiki page for examples of how to write configuration snippets. (TBD) +.PP +This helper is intended to be used as an +.B external_acl_type +helper in +.B squid.conf. +.if !'po4a'hide' .P +.if !'po4a'hide' .ft CR +.if !'po4a'hide' .nf +.if !'po4a'hide' auth_param negotiate program /path/to/negotiate_kerberos_auth +.if !'po4a'hide' .br +.if !'po4a'hide' auth_param negotiate children 10 +.if !'po4a'hide' .br +.if !'po4a'hide' auth_param negotiate keep_alive on +.if !'po4a'hide' .fi +.if !'po4a'hide' .ft +.PP +.B NOTE: +The following squid startup file modification may be required: + +Add the following lines to the squid startup script to point squid to a keytab file which +contains the HTTP/fqdn service principal for the default Kerberos domain. The fqdn must be +the proxy name set in IE or firefox. You can not use an IP address. + +KRB5_KTNAME=/etc/squid/HTTP.keytab +export KRB5_KTNAME + +If you use a different Kerberos domain than the machine itself is in you can point squid to +the seperate Kerberos config file by setting the following environmnet variable in the startup +script. + +KRB5_CONFIG=/etc/krb5-squid.conf +export KRB5_CONFIG + +Kerberos can keep a replay cache to detect the reuse of Kerberos tickets (usually only possible +in a 5 minute window) . If squid is under high load with Negotiate(Kerberos) proxy authentication +requests the replay cache checks can create high CPU load. If the environment does not require +high security the replay cache check can be disabled for MIT based Kerberos implementations by +adding the following to the startup script + +KRB5RCACHETYPE=none +export KRB5RCACHETYPE + +If negotiate_kerberos_auth doesn't determine for some reason the right service principal you can provide +it with -s HTTP/fqdn. + +If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal per realm to the +HTTP.keytab file and use the -s GSS_C_NO_NAME option with negotiate_kerberos_auth. + +. +.SH AUTHOR +This program was written by +.if !'po4a'hide' .I Markus Moeller +.PP +This manual was written by +.if !'po4a'hide' .I Markus Moeller +. +.SH COPYRIGHT +This program and documentation is copyright to the authors named above. +.PP +Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+). +. +.SH QUESTIONS +Questions on the usage of this program can be sent to the +.I Squid Users mailing list +.if !'po4a'hide' +. +.SH REPORTING BUGS +Bug reports need to be made in English. +See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. +.PP +Report bugs or bug fixes using http://bugs.squid-cache.org/ +.PP +Report serious security bugs to +.I Squid Bugs +.PP +Report ideas for new improvements to the +.I Squid Developers mailing list +.if !'po4a'hide' +. +.SH SEE ALSO +.if !'po4a'hide' .BR squid "(8) " +.if !'po4a'hide' .BR kerberos_ldap_group "(8) " +.br +.BR RFC4559" - SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows," +.br +.BR RFC2478" - The Simple and Protected GSS-API Negotiation Mechanism," +.br +.BR RFC1964" - The Kerberos Version 5 GSS-API Mechanism," +.br +The Squid FAQ wiki +.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq +.br +The Squid Configuration Manual +.if !'po4a'hide' http://www.squid-cache.org/Doc/config/ +.if !'po4a'hide' http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos diff -Nur squid-3/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth-logging.patch squid-3-krb5/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth-logging.patch --- squid-3/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth-logging.patch 2010-02-09 19:17:07.000000000 +0000 +++ squid-3-krb5/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth-logging.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,216 +0,0 @@ ---- negotiate_kerberos_auth.cc 2010-02-09 19:16:27.000000000 +0000 -+++ negotiate_kerberos_auth-new.cc 2010-02-09 19:16:03.000000000 +0000 -@@ -120,14 +120,14 @@ - - rc = gethostname(hostname, sysconf(_SC_HOST_NAME_MAX)); - if (rc) { -- fprintf(stderr, "%s| %s: error while resolving hostname '%s'\n", -+ fprintf(stderr, "%s| %s: ERROR: resolving hostname '%s' failed\n", - LogTime(), PROGRAM, hostname); - return NULL; - } - rc = xgetaddrinfo(hostname, NULL, NULL, &hres); - if (rc != 0) { - fprintf(stderr, -- "%s| %s: error while resolving hostname with getaddrinfo: %s\n", -+ "%s| %s: ERROR: resolving hostname with getaddrinfo: %s failed\n", - LogTime(), PROGRAM, xgai_strerror(rc)); - return NULL; - } -@@ -141,7 +141,7 @@ - sizeof(hostname), NULL, 0, 0); - if (rc != 0) { - fprintf(stderr, -- "%s| %s: error while resolving ip address with getnameinfo: %s\n", -+ "%s| %s: ERROR: resolving ip address with getnameinfo: %s failed\n", - LogTime(), PROGRAM, xgai_strerror(rc)); - xfreeaddrinfo(hres); - return NULL; -@@ -199,11 +199,11 @@ - gss_release_buffer(&min_stat, &status_string); - } - if (debug) -- fprintf(stderr, "%s| %s: %s failed: %s\n", LogTime(), PROGRAM, -+ fprintf(stderr, "%s| %s: ERROR: %s failed: %s\n", LogTime(), PROGRAM, - function, buf); - fprintf(stdout, "BH %s failed: %s\n", function, buf); - if (log) -- fprintf(stderr, "%s| %s: User not authenticated\n", LogTime(), -+ fprintf(stderr, "%s| %s: INFO: User not authenticated\n", LogTime(), - PROGRAM); - return (1); - } -@@ -267,13 +267,13 @@ - fprintf(stderr, "default SPN is HTTP/fqdn@DEFAULT_REALM\n"); - exit(0); - default: -- fprintf(stderr, "%s| %s: unknown option: -%c.\n", LogTime(), -+ fprintf(stderr, "%s| %s: WARNING: unknown option: -%c.\n", LogTime(), - PROGRAM, opt); - } - } - - if (debug) -- fprintf(stderr, "%s| %s: Starting version %s\n", LogTime(), PROGRAM, -+ fprintf(stderr, "%s| %s: INFO: Starting version %s\n", LogTime(), PROGRAM, - SQUID_KERB_AUTH_VERSION); - if (service_principal && strcasecmp(service_principal, "GSS_C_NO_NAME")) { - service.value = service_principal; -@@ -282,7 +282,7 @@ - host_name = gethost_name(); - if (!host_name) { - fprintf(stderr, -- "%s| %s: Local hostname could not be determined. Please specify the service principal\n", -+ "%s| %s: FATAL: Local hostname could not be determined. Please specify the service principal\n", - LogTime(), PROGRAM); - fprintf(stdout, "BH hostname error\n"); - exit(-1); -@@ -298,7 +298,7 @@ - if (ferror(stdin)) { - if (debug) - fprintf(stderr, -- "%s| %s: fgets() failed! dying..... errno=%d (%s)\n", -+ "%s| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n", - LogTime(), PROGRAM, ferror(stdin), - strerror(ferror(stdin))); - -@@ -318,7 +318,7 @@ - } - if (err) { - if (debug) -- fprintf(stderr, "%s| %s: Oversized message\n", LogTime(), -+ fprintf(stderr, "%s| %s: ERROR: Oversized message\n", LogTime(), - PROGRAM); - fprintf(stdout, "BH Oversized message\n"); - err = 0; -@@ -326,12 +326,12 @@ - } - - if (debug) -- fprintf(stderr, "%s| %s: Got '%s' from squid (length: %d).\n", -+ fprintf(stderr, "%s| %s: DEBUG: Got '%s' from squid (length: %d).\n", - LogTime(), PROGRAM, buf, length); - - if (buf[0] == '\0') { - if (debug) -- fprintf(stderr, "%s| %s: Invalid request\n", LogTime(), -+ fprintf(stderr, "%s| %s: ERROR: Invalid request\n", LogTime(), - PROGRAM); - fprintf(stdout, "BH Invalid request\n"); - continue; -@@ -339,7 +339,7 @@ - - if (strlen(buf) < 2) { - if (debug) -- fprintf(stderr, "%s| %s: Invalid request [%s]\n", LogTime(), -+ fprintf(stderr, "%s| %s: ERROR: Invalid request [%s]\n", LogTime(), - PROGRAM, buf); - fprintf(stdout, "BH Invalid request\n"); - continue; -@@ -382,7 +382,7 @@ - - if (strncmp(buf, "YR", 2) && strncmp(buf, "KK", 2)) { - if (debug) -- fprintf(stderr, "%s| %s: Invalid request [%s]\n", LogTime(), -+ fprintf(stderr, "%s| %s: ERROR: Invalid request [%s]\n", LogTime(), - PROGRAM, buf); - fprintf(stdout, "BH Invalid request\n"); - continue; -@@ -395,7 +395,7 @@ - - if (strlen(buf) <= 3) { - if (debug) -- fprintf(stderr, "%s| %s: Invalid negotiate request [%s]\n", -+ fprintf(stderr, "%s| %s: ERROR: Invalid negotiate request [%s]\n", - LogTime(), PROGRAM, buf); - fprintf(stdout, "BH Invalid negotiate request\n"); - continue; -@@ -403,7 +403,7 @@ - - input_token.length = ska_base64_decode_len(buf + 3); - if (debug) -- fprintf(stderr, "%s| %s: Decode '%s' (decoded length: %d).\n", -+ fprintf(stderr, "%s| %s: DEBUG: Decode '%s' (decoded length: %d).\n", - LogTime(), PROGRAM, buf + 3, (int) input_token.length); - input_token.value = xmalloc(input_token.length); - -@@ -413,7 +413,7 @@ - if ((input_token.length >= sizeof ntlmProtocol + 1) && - (!memcmp(input_token.value, ntlmProtocol, sizeof ntlmProtocol))) { - if (debug) -- fprintf(stderr, "%s| %s: received type %d NTLM token\n", -+ fprintf(stderr, "%s| %s: WARNING: received type %d NTLM token\n", - LogTime(), PROGRAM, - (int) *((unsigned char *) input_token.value + - sizeof ntlmProtocol)); -@@ -462,7 +462,7 @@ - token = (char*)xmalloc(ska_base64_encode_len(spnegoTokenLength)); - if (token == NULL) { - if (debug) -- fprintf(stderr, "%s| %s: Not enough memory\n", LogTime(), -+ fprintf(stderr, "%s| %s: ERROR: Not enough memory\n", LogTime(), - PROGRAM); - fprintf(stdout, "BH Not enough memory\n"); - goto cleanup; -@@ -476,7 +476,7 @@ - goto cleanup; - if (major_status & GSS_S_CONTINUE_NEEDED) { - if (debug) -- fprintf(stderr, "%s| %s: continuation needed\n", LogTime(), -+ fprintf(stderr, "%s| %s: INFO: continuation needed\n", LogTime(), - PROGRAM); - fprintf(stdout, "TT %s\n", token); - goto cleanup; -@@ -492,7 +492,7 @@ - user = (char*)xmalloc(output_token.length + 1); - if (user == NULL) { - if (debug) -- fprintf(stderr, "%s| %s: Not enough memory\n", LogTime(), -+ fprintf(stderr, "%s| %s: ERROR: Not enough memory\n", LogTime(), - PROGRAM); - fprintf(stdout, "BH Not enough memory\n"); - goto cleanup; -@@ -504,10 +504,10 @@ - } - fprintf(stdout, "AF %s %s\n", token, user); - if (debug) -- fprintf(stderr, "%s| %s: AF %s %s\n", LogTime(), PROGRAM, token, -+ fprintf(stderr, "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, token, - user); - if (log) -- fprintf(stderr, "%s| %s: User %s authenticated\n", LogTime(), -+ fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(), - PROGRAM, user); - goto cleanup; - } else { -@@ -516,7 +516,7 @@ - goto cleanup; - if (major_status & GSS_S_CONTINUE_NEEDED) { - if (debug) -- fprintf(stderr, "%s| %s: continuation needed\n", LogTime(), -+ fprintf(stderr, "%s| %s: INFO: continuation needed\n", LogTime(), - PROGRAM); - fprintf(stdout, "NA %s\n", token); - goto cleanup; -@@ -535,7 +535,7 @@ - user = (char*)xmalloc(output_token.length + 1); - if (user == NULL) { - if (debug) -- fprintf(stderr, "%s| %s: Not enough memory\n", LogTime(), -+ fprintf(stderr, "%s| %s: ERROR: Not enough memory\n", LogTime(), - PROGRAM); - fprintf(stdout, "BH Not enough memory\n"); - goto cleanup; -@@ -547,10 +547,10 @@ - } - fprintf(stdout, "AF %s %s\n", "AA==", user); - if (debug) -- fprintf(stderr, "%s| %s: AF %s %s\n", LogTime(), PROGRAM, -+ fprintf(stderr, "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, - "AA==", user); - if (log) -- fprintf(stderr, "%s| %s: User %s authenticated\n", LogTime(), -+ fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(), - PROGRAM, user); - - } diff -Nur squid-3/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth-new.cc squid-3-krb5/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth-new.cc --- squid-3/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth-new.cc 2010-02-09 19:16:03.000000000 +0000 +++ squid-3-krb5/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth-new.cc 1970-01-01 01:00:00.000000000 +0100 @@ -1,608 +0,0 @@ -/* - * ----------------------------------------------------------------------------- - * - * Author: Markus Moeller (markus_moeller at compuserve.com) - * - * Copyright (C) 2007 Markus Moeller. All rights reserved. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. - * - * As a special exemption, M Moeller gives permission to link this program - * with MIT, Heimdal or other GSS/Kerberos libraries, and distribute - * the resulting executable, without including the source code for - * the Libraries in the source distribution. - * - * ----------------------------------------------------------------------------- - */ -/* - * Hosted at http://sourceforge.net/projects/squidkerbauth - */ -#include "config.h" - -#if HAVE_GSSAPI - -#if HAVE_STRING_H -#include -#endif -#if HAVE_STDOI_H -#include -#endif -#if HAVE_STDLIB_H -#include -#endif -#if HAVE_NETDB_H -#include -#endif -#if HAVE_UNISTD_H -#include -#endif -#if HAVE_TIME_H -#include -#endif -#if HAVE_SYS_TIME_H -#include -#endif - -#include "util.h" -#include "base64.h" -#include "getaddrinfo.h" -#include "getnameinfo.h" - -#if HAVE_GSSAPI_GSSAPI_H -#include -#elif HAVE_GSSAPI_H -#include -#endif /* HAVE_GSSAPI_GSSAPI_H */ -#if HAVE_GSSAPI_GSSAPI_KRB5_H -#include -#endif /* HAVE_GSSAPI_GSSAPI_KRB5_H */ -#if HAVE_GSSAPI_GSSAPI_GENERIC_H -#include -#endif /* HAVE_GSSAPI_GSSAPI_GENERIC_H */ -#ifndef gss_nt_service_name -#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE -#endif - -#define PROGRAM "negotiate_kerberos_auth" - -#ifndef MAX_AUTHTOKEN_LEN -#define MAX_AUTHTOKEN_LEN 65535 -#endif -#ifndef SQUID_KERB_AUTH_VERSION -#define SQUID_KERB_AUTH_VERSION "3.0.2sq" -#endif - -int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, - const char *function, int debug, int log); -char *gethost_name(void); -static const char *LogTime(void); - -static const unsigned char ntlmProtocol[] = { 'N', 'T', 'L', 'M', 'S', 'S', 'P', 0 }; - -static const char * -LogTime() -{ - struct tm *tm; - struct timeval now; - static time_t last_t = 0; - static char buf[128]; - - gettimeofday(&now, NULL); - if (now.tv_sec != last_t) { - tm = localtime((time_t *) & now.tv_sec); - strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm); - last_t = now.tv_sec; - } - return buf; -} - -char * -gethost_name(void) -{ - /* - char hostname[sysconf(_SC_HOST_NAME_MAX)]; - */ - char hostname[1024]; - struct addrinfo *hres = NULL, *hres_list; - int rc, count; - - rc = gethostname(hostname, sysconf(_SC_HOST_NAME_MAX)); - if (rc) { - fprintf(stderr, "%s| %s: ERROR: resolving hostname '%s' failed\n", - LogTime(), PROGRAM, hostname); - return NULL; - } - rc = xgetaddrinfo(hostname, NULL, NULL, &hres); - if (rc != 0) { - fprintf(stderr, - "%s| %s: ERROR: resolving hostname with getaddrinfo: %s failed\n", - LogTime(), PROGRAM, xgai_strerror(rc)); - return NULL; - } - hres_list = hres; - count = 0; - while (hres_list) { - count++; - hres_list = hres_list->ai_next; - } - rc = xgetnameinfo(hres->ai_addr, hres->ai_addrlen, hostname, - sizeof(hostname), NULL, 0, 0); - if (rc != 0) { - fprintf(stderr, - "%s| %s: ERROR: resolving ip address with getnameinfo: %s failed\n", - LogTime(), PROGRAM, xgai_strerror(rc)); - xfreeaddrinfo(hres); - return NULL; - } - - xfreeaddrinfo(hres); - hostname[sysconf(_SC_HOST_NAME_MAX) - 1] = '\0'; - return (xstrdup(hostname)); -} - -int -check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, - const char *function, int debug, int log) -{ - if (GSS_ERROR(major_status)) { - OM_uint32 maj_stat, min_stat; - OM_uint32 msg_ctx = 0; - gss_buffer_desc status_string; - char buf[1024]; - size_t len; - - len = 0; - msg_ctx = 0; - while (!msg_ctx) { - /* convert major status code (GSS-API error) to text */ - maj_stat = gss_display_status(&min_stat, major_status, - GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); - if (maj_stat == GSS_S_COMPLETE) { - if (sizeof(buf) > len + status_string.length + 1) { - sprintf(buf + len, "%s", (char *) status_string.value); - len += status_string.length; - } - gss_release_buffer(&min_stat, &status_string); - break; - } - gss_release_buffer(&min_stat, &status_string); - } - if (sizeof(buf) > len + 2) { - sprintf(buf + len, "%s", ". "); - len += 2; - } - msg_ctx = 0; - while (!msg_ctx) { - /* convert minor status code (underlying routine error) to text */ - maj_stat = gss_display_status(&min_stat, minor_status, - GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); - if (maj_stat == GSS_S_COMPLETE) { - if (sizeof(buf) > len + status_string.length) { - sprintf(buf + len, "%s", (char *) status_string.value); - len += status_string.length; - } - gss_release_buffer(&min_stat, &status_string); - break; - } - gss_release_buffer(&min_stat, &status_string); - } - if (debug) - fprintf(stderr, "%s| %s: ERROR: %s failed: %s\n", LogTime(), PROGRAM, - function, buf); - fprintf(stdout, "BH %s failed: %s\n", function, buf); - if (log) - fprintf(stderr, "%s| %s: INFO: User not authenticated\n", LogTime(), - PROGRAM); - return (1); - } - return (0); -} - - - -int -main(int argc, char *const argv[]) -{ - char buf[MAX_AUTHTOKEN_LEN]; - char *c, *p; - char *user = NULL; - int length = 0; - static int err = 0; - int opt, debug = 0, log = 0, norealm = 0; - OM_uint32 ret_flags = 0, spnego_flag = 0; - char *service_name = (char *) "HTTP", *host_name = NULL; - char *token = NULL; - char *service_principal = NULL; - OM_uint32 major_status, minor_status; - gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT; - gss_name_t client_name = GSS_C_NO_NAME; - gss_name_t server_name = GSS_C_NO_NAME; - gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL; - gss_buffer_desc service = GSS_C_EMPTY_BUFFER; - gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; - gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; - const unsigned char *kerberosToken = NULL; - const unsigned char *spnegoToken = NULL; - size_t spnegoTokenLength = 0; - - setbuf(stdout, NULL); - setbuf(stdin, NULL); - - while (-1 != (opt = getopt(argc, argv, "dirs:h"))) { - switch (opt) { - case 'd': - debug = 1; - break; - case 'i': - log = 1; - break; - case 'r': - norealm = 1; - break; - case 's': - service_principal = xstrdup(optarg); - break; - case 'h': - fprintf(stderr, "Usage: \n"); - fprintf(stderr, "squid_kerb_auth [-d] [-i] [-s SPN] [-h]\n"); - fprintf(stderr, "-d full debug\n"); - fprintf(stderr, "-i informational messages\n"); - fprintf(stderr, "-r remove realm from username\n"); - fprintf(stderr, "-s service principal name\n"); - fprintf(stderr, "-h help\n"); - fprintf(stderr, - "The SPN can be set to GSS_C_NO_NAME to allow any entry from keytab\n"); - fprintf(stderr, "default SPN is HTTP/fqdn@DEFAULT_REALM\n"); - exit(0); - default: - fprintf(stderr, "%s| %s: WARNING: unknown option: -%c.\n", LogTime(), - PROGRAM, opt); - } - } - - if (debug) - fprintf(stderr, "%s| %s: INFO: Starting version %s\n", LogTime(), PROGRAM, - SQUID_KERB_AUTH_VERSION); - if (service_principal && strcasecmp(service_principal, "GSS_C_NO_NAME")) { - service.value = service_principal; - service.length = strlen((char *) service.value); - } else { - host_name = gethost_name(); - if (!host_name) { - fprintf(stderr, - "%s| %s: FATAL: Local hostname could not be determined. Please specify the service principal\n", - LogTime(), PROGRAM); - fprintf(stdout, "BH hostname error\n"); - exit(-1); - } - service.value = xmalloc(strlen(service_name) + strlen(host_name) + 2); - snprintf((char*)service.value, strlen(service_name) + strlen(host_name) + 2, - "%s@%s", service_name, host_name); - service.length = strlen((char *) service.value); - } - - while (1) { - if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) { - if (ferror(stdin)) { - if (debug) - fprintf(stderr, - "%s| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n", - LogTime(), PROGRAM, ferror(stdin), - strerror(ferror(stdin))); - - fprintf(stdout, "BH input error\n"); - exit(1); /* BIIG buffer */ - } - fprintf(stdout, "BH input error\n"); - exit(0); - } - - c = (char*)memchr(buf, '\n', sizeof(buf) - 1); - if (c) { - *c = '\0'; - length = c - buf; - } else { - err = 1; - } - if (err) { - if (debug) - fprintf(stderr, "%s| %s: ERROR: Oversized message\n", LogTime(), - PROGRAM); - fprintf(stdout, "BH Oversized message\n"); - err = 0; - continue; - } - - if (debug) - fprintf(stderr, "%s| %s: DEBUG: Got '%s' from squid (length: %d).\n", - LogTime(), PROGRAM, buf, length); - - if (buf[0] == '\0') { - if (debug) - fprintf(stderr, "%s| %s: ERROR: Invalid request\n", LogTime(), - PROGRAM); - fprintf(stdout, "BH Invalid request\n"); - continue; - } - - if (strlen(buf) < 2) { - if (debug) - fprintf(stderr, "%s| %s: ERROR: Invalid request [%s]\n", LogTime(), - PROGRAM, buf); - fprintf(stdout, "BH Invalid request\n"); - continue; - } - - if (!strncmp(buf, "QQ", 2)) { - gss_release_buffer(&minor_status, &input_token); - gss_release_buffer(&minor_status, &output_token); - gss_release_buffer(&minor_status, &service); - gss_release_cred(&minor_status, &server_creds); - if (server_name) - gss_release_name(&minor_status, &server_name); - if (client_name) - gss_release_name(&minor_status, &client_name); - if (gss_context != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&minor_status, &gss_context, NULL); - if (kerberosToken) { - /* Allocated by parseNegTokenInit, but no matching free function exists.. */ - if (!spnego_flag) - xfree((char *) kerberosToken); - kerberosToken = NULL; - } - if (spnego_flag) { - /* Allocated by makeNegTokenTarg, but no matching free function exists.. */ - if (spnegoToken) - xfree((char *) spnegoToken); - spnegoToken = NULL; - } - if (token) { - xfree(token); - token = NULL; - } - if (host_name) { - xfree(host_name); - host_name = NULL; - } - fprintf(stdout, "BH quit command\n"); - exit(0); - } - - if (strncmp(buf, "YR", 2) && strncmp(buf, "KK", 2)) { - if (debug) - fprintf(stderr, "%s| %s: ERROR: Invalid request [%s]\n", LogTime(), - PROGRAM, buf); - fprintf(stdout, "BH Invalid request\n"); - continue; - } - if (!strncmp(buf, "YR", 2)) { - if (gss_context != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&minor_status, &gss_context, NULL); - gss_context = GSS_C_NO_CONTEXT; - } - - if (strlen(buf) <= 3) { - if (debug) - fprintf(stderr, "%s| %s: ERROR: Invalid negotiate request [%s]\n", - LogTime(), PROGRAM, buf); - fprintf(stdout, "BH Invalid negotiate request\n"); - continue; - } - - input_token.length = ska_base64_decode_len(buf + 3); - if (debug) - fprintf(stderr, "%s| %s: DEBUG: Decode '%s' (decoded length: %d).\n", - LogTime(), PROGRAM, buf + 3, (int) input_token.length); - input_token.value = xmalloc(input_token.length); - - ska_base64_decode((char*)input_token.value, buf + 3, input_token.length); - - - if ((input_token.length >= sizeof ntlmProtocol + 1) && - (!memcmp(input_token.value, ntlmProtocol, sizeof ntlmProtocol))) { - if (debug) - fprintf(stderr, "%s| %s: WARNING: received type %d NTLM token\n", - LogTime(), PROGRAM, - (int) *((unsigned char *) input_token.value + - sizeof ntlmProtocol)); - fprintf(stdout, "BH received type %d NTLM token\n", - (int) *((unsigned char *) input_token.value + - sizeof ntlmProtocol)); - goto cleanup; - } - - if (service_principal) { - if (strcasecmp(service_principal, "GSS_C_NO_NAME")) { - major_status = gss_import_name(&minor_status, &service, - (gss_OID) GSS_C_NULL_OID, &server_name); - - } else { - server_name = GSS_C_NO_NAME; - major_status = GSS_S_COMPLETE; - } - } else { - major_status = gss_import_name(&minor_status, &service, - gss_nt_service_name, &server_name); - } - - if (check_gss_err(major_status, minor_status, "gss_import_name()", - debug, log)) - goto cleanup; - - major_status = - gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL); - if (check_gss_err(major_status, minor_status, "gss_acquire_cred()", - debug, log)) - goto cleanup; - - major_status = gss_accept_sec_context(&minor_status, - &gss_context, - server_creds, - &input_token, - GSS_C_NO_CHANNEL_BINDINGS, - &client_name, NULL, &output_token, &ret_flags, NULL, NULL); - - - if (output_token.length) { - spnegoToken = (const unsigned char*)output_token.value; - spnegoTokenLength = output_token.length; - token = (char*)xmalloc(ska_base64_encode_len(spnegoTokenLength)); - if (token == NULL) { - if (debug) - fprintf(stderr, "%s| %s: ERROR: Not enough memory\n", LogTime(), - PROGRAM); - fprintf(stdout, "BH Not enough memory\n"); - goto cleanup; - } - - ska_base64_encode(token, (const char *) spnegoToken, - ska_base64_encode_len(spnegoTokenLength), spnegoTokenLength); - - if (check_gss_err(major_status, minor_status, - "gss_accept_sec_context()", debug, log)) - goto cleanup; - if (major_status & GSS_S_CONTINUE_NEEDED) { - if (debug) - fprintf(stderr, "%s| %s: INFO: continuation needed\n", LogTime(), - PROGRAM); - fprintf(stdout, "TT %s\n", token); - goto cleanup; - } - gss_release_buffer(&minor_status, &output_token); - major_status = - gss_display_name(&minor_status, client_name, &output_token, - NULL); - - if (check_gss_err(major_status, minor_status, "gss_display_name()", - debug, log)) - goto cleanup; - user = (char*)xmalloc(output_token.length + 1); - if (user == NULL) { - if (debug) - fprintf(stderr, "%s| %s: ERROR: Not enough memory\n", LogTime(), - PROGRAM); - fprintf(stdout, "BH Not enough memory\n"); - goto cleanup; - } - memcpy(user, output_token.value, output_token.length); - user[output_token.length] = '\0'; - if (norealm && (p = strchr(user, '@')) != NULL) { - *p = '\0'; - } - fprintf(stdout, "AF %s %s\n", token, user); - if (debug) - fprintf(stderr, "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, token, - user); - if (log) - fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(), - PROGRAM, user); - goto cleanup; - } else { - if (check_gss_err(major_status, minor_status, - "gss_accept_sec_context()", debug, log)) - goto cleanup; - if (major_status & GSS_S_CONTINUE_NEEDED) { - if (debug) - fprintf(stderr, "%s| %s: INFO: continuation needed\n", LogTime(), - PROGRAM); - fprintf(stdout, "NA %s\n", token); - goto cleanup; - } - gss_release_buffer(&minor_status, &output_token); - major_status = - gss_display_name(&minor_status, client_name, &output_token, - NULL); - - if (check_gss_err(major_status, minor_status, "gss_display_name()", - debug, log)) - goto cleanup; - /* - * Return dummy token AA. May need an extra return tag then AF - */ - user = (char*)xmalloc(output_token.length + 1); - if (user == NULL) { - if (debug) - fprintf(stderr, "%s| %s: ERROR: Not enough memory\n", LogTime(), - PROGRAM); - fprintf(stdout, "BH Not enough memory\n"); - goto cleanup; - } - memcpy(user, output_token.value, output_token.length); - user[output_token.length] = '\0'; - if (norealm && (p = strchr(user, '@')) != NULL) { - *p = '\0'; - } - fprintf(stdout, "AF %s %s\n", "AA==", user); - if (debug) - fprintf(stderr, "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, - "AA==", user); - if (log) - fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(), - PROGRAM, user); - - } -cleanup: - gss_release_buffer(&minor_status, &input_token); - gss_release_buffer(&minor_status, &output_token); - gss_release_cred(&minor_status, &server_creds); - if (server_name) - gss_release_name(&minor_status, &server_name); - if (client_name) - gss_release_name(&minor_status, &client_name); - if (kerberosToken) { - /* Allocated by parseNegTokenInit, but no matching free function exists.. */ - if (!spnego_flag) - xfree((char *) kerberosToken); - kerberosToken = NULL; - } - if (spnego_flag) { - /* Allocated by makeNegTokenTarg, but no matching free function exists.. */ - if (spnegoToken) - xfree((char *) spnegoToken); - spnegoToken = NULL; - } - if (token) { - xfree(token); - token = NULL; - } - if (user) { - xfree(user); - user = NULL; - } - continue; - } -} -#else -#include -#include -#ifndef MAX_AUTHTOKEN_LEN -#define MAX_AUTHTOKEN_LEN 65535 -#endif -int -main(int argc, char *const argv[]) -{ - setbuf(stdout, NULL); - setbuf(stdin, NULL); - char buf[MAX_AUTHTOKEN_LEN]; - while (1) { - if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) { - fprintf(stdout, "BH input error\n"); - exit(0); - } - fprintf(stdout, "BH Kerberos authentication not supported\n"); - } -} -#endif /* HAVE_GSSAPI */