squid/squid-brokenad.patch

107 lines
4.6 KiB
Diff
Raw Normal View History

Index: helpers/external_acl/kerberos_ldap_group/support_krb5.cc
===================================================================
--- helpers/external_acl/kerberos_ldap_group/support_krb5.cc.orig
+++ helpers/external_acl/kerberos_ldap_group/support_krb5.cc
@@ -80,7 +80,7 @@ k5_error(const char* msg, krb5_error_cod
* create Kerberos memory cache
*/
int
-krb5_create_cache(char *domain)
+krb5_create_cache(struct main_args *margs, char *domain)
{
krb5_keytab keytab = NULL;
@@ -288,8 +288,17 @@ krb5_create_cache(char *domain)
if (code) {
k5_error("Error while unparsing principal name",code);
} else {
- debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name);
- found = 1;
+ if (margs->brokenad == 1) {
+ if (!strncmp(principal_name,"HTTP/",strlen("HTTP/"))==0){
+ debug((char *) "%s| %s: DEBUG: Found principal without 'HTTP/' service name: %s NOT USING IT\n", LogTime(), PROGRAM, principal_name);
+ } else {
+ debug((char *) "%s| %s: DEBUG: Found principal with 'HTTP/' service name: %s\n", LogTime(), PROGRAM, principal_name);
+ found = 1;
+ }
+ } else {
+ debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name);
+ found = 1;
+ }
}
}
#if USE_HEIMDAL_KRB5 || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY )
Index: helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc
===================================================================
--- helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc.orig
+++ helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc
@@ -79,6 +79,7 @@ init_args(struct main_args *margs)
margs->AD = 0;
margs->mdepth = 5;
margs->nokerberos = 0;
+ margs->brokenad = 0;
margs->ddomain = NULL;
margs->groups = NULL;
margs->ndoms = NULL;
@@ -202,7 +203,7 @@ main(int argc, char *const argv[])
init_args(&margs);
- while (-1 != (opt = getopt(argc, argv, "diasng:D:N:S:u:U:t:T:p:l:b:m:h"))) {
+ while (-1 != (opt = getopt(argc, argv, "diasnxg:D:N:S:u:U:t:T:p:l:b:m:h"))) {
switch (opt) {
case 'd':
debug_enabled = 1;
@@ -219,6 +220,9 @@ main(int argc, char *const argv[])
case 'n':
margs.nokerberos = 1;
break;
+ case 'x':
+ margs.brokenad = 1;
+ break;
case 'g':
margs.glist = xstrdup(optarg);
break;
@@ -274,6 +278,7 @@ main(int argc, char *const argv[])
fprintf(stderr, "-l ldap url\n");
fprintf(stderr, "-b ldap bind path\n");
fprintf(stderr, "-s use SSL encryption with Kerberos authentication\n");
+ fprintf(stderr, "-x force use of HTTP/ principal on ms ad 2008\n");
fprintf(stderr, "-a allow SSL without cert verification\n");
fprintf(stderr, "-m maximal depth for recursive searches\n");
fprintf(stderr, "-h help\n");
Index: helpers/external_acl/kerberos_ldap_group/support.h
===================================================================
--- helpers/external_acl/kerberos_ldap_group/support.h.orig
+++ helpers/external_acl/kerberos_ldap_group/support.h
@@ -106,6 +106,7 @@ struct main_args {
int AD;
int mdepth;
int nokerberos;
+ int brokenad;
char *ddomain;
struct gdstruct *groups;
struct ndstruct *ndoms;
@@ -181,7 +182,7 @@ struct kstruct {
char* mem_ccache[MAX_DOMAINS];
int ncache;
};
-int krb5_create_cache(char *domain);
+int krb5_create_cache(struct main_args *margs, char *domain);
void krb5_cleanup(void);
#endif
Index: helpers/external_acl/kerberos_ldap_group/support_ldap.cc
===================================================================
--- helpers/external_acl/kerberos_ldap_group/support_ldap.cc.orig
+++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc
@@ -902,7 +902,7 @@ get_memberof(struct main_args *margs, ch
kc = 1;
debug((char *) "%s| %s: DEBUG: Kerberos is disabled. Use username/password with ldap url instead\n", LogTime(), PROGRAM);
} else {
- kc = krb5_create_cache(domain);
+ kc = krb5_create_cache(margs,domain);
if (kc) {
error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM);
}