2014-03-16 14:39:08 +01:00
|
|
|
Index: helpers/external_acl/kerberos_ldap_group/support_krb5.cc
|
|
|
|
===================================================================
|
2014-03-17 00:52:40 +01:00
|
|
|
--- helpers/external_acl/kerberos_ldap_group/support_krb5.cc.orig
|
|
|
|
+++ helpers/external_acl/kerberos_ldap_group/support_krb5.cc
|
2015-04-26 13:20:33 +02:00
|
|
|
@@ -81,7 +81,7 @@ k5_error(const char* msg, krb5_error_cod
|
2014-03-16 14:39:08 +01:00
|
|
|
* create Kerberos memory cache
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
-krb5_create_cache(char *domain)
|
|
|
|
+krb5_create_cache(struct main_args *margs, char *domain)
|
|
|
|
{
|
|
|
|
|
|
|
|
krb5_keytab keytab = 0;
|
2015-04-26 13:20:33 +02:00
|
|
|
@@ -178,8 +178,17 @@ krb5_create_cache(char *domain)
|
2014-03-16 14:39:08 +01:00
|
|
|
if (code) {
|
2015-04-26 13:20:33 +02:00
|
|
|
k5_error("Error while unparsing principal name",code);
|
2014-03-16 14:39:08 +01:00
|
|
|
} else {
|
|
|
|
- debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name);
|
|
|
|
- found = 1;
|
|
|
|
+ if (margs->brokenad == 1) {
|
|
|
|
+ if (!strncmp(principal_name,"HTTP/",strlen("HTTP/"))==0){
|
|
|
|
+ debug((char *) "%s| %s: DEBUG: Found principal without 'HTTP/' service name: %s NOT USING IT\n", LogTime(), PROGRAM, principal_name);
|
|
|
|
+ } else {
|
|
|
|
+ debug((char *) "%s| %s: DEBUG: Found principal with 'HTTP/' service name: %s\n", LogTime(), PROGRAM, principal_name);
|
|
|
|
+ found = 1;
|
|
|
|
+ }
|
|
|
|
+ } else {
|
|
|
|
+ debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name);
|
|
|
|
+ found = 1;
|
|
|
|
+ }
|
|
|
|
}
|
|
|
|
}
|
2015-04-26 13:20:33 +02:00
|
|
|
#if USE_HEIMDAL_KRB5 || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY )
|
2014-03-16 14:39:08 +01:00
|
|
|
Index: helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc
|
|
|
|
===================================================================
|
2014-03-17 00:52:40 +01:00
|
|
|
--- helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc.orig
|
|
|
|
+++ helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc
|
2015-04-26 13:20:33 +02:00
|
|
|
@@ -61,6 +61,7 @@ init_args(struct main_args *margs)
|
2014-03-16 14:39:08 +01:00
|
|
|
margs->rc_allow = 0;
|
|
|
|
margs->AD = 0;
|
|
|
|
margs->mdepth = 5;
|
|
|
|
+ margs->brokenad = 0;
|
|
|
|
margs->ddomain = NULL;
|
|
|
|
margs->groups = NULL;
|
|
|
|
margs->ndoms = NULL;
|
2015-04-26 13:20:33 +02:00
|
|
|
@@ -179,7 +180,7 @@ main(int argc, char *const argv[])
|
2014-03-16 14:39:08 +01:00
|
|
|
|
|
|
|
init_args(&margs);
|
|
|
|
|
|
|
|
- while (-1 != (opt = getopt(argc, argv, "diasg:D:N:S:u:U:t:T:p:l:b:m:h"))) {
|
|
|
|
+ while (-1 != (opt = getopt(argc, argv, "diasxg:D:N:S:u:U:t:T:p:l:b:m:h"))) {
|
|
|
|
switch (opt) {
|
|
|
|
case 'd':
|
|
|
|
debug_enabled = 1;
|
2015-04-26 13:20:33 +02:00
|
|
|
@@ -231,6 +232,9 @@ main(int argc, char *const argv[])
|
2014-03-16 14:39:08 +01:00
|
|
|
case 'S':
|
|
|
|
margs.llist = xstrdup(optarg);
|
|
|
|
break;
|
|
|
|
+ case 'x':
|
|
|
|
+ margs.brokenad = 1;
|
|
|
|
+ break;
|
|
|
|
case 'h':
|
|
|
|
fprintf(stderr, "Usage: \n");
|
|
|
|
fprintf(stderr, "squid_kerb_ldap [-d] [-i] -g group list [-D domain] [-N netbios domain map] [-s] [-u ldap user] [-p ldap user password] [-l ldap url] [-b ldap bind path] [-a] [-m max depth] [-h]\n");
|
2015-04-26 13:20:33 +02:00
|
|
|
@@ -247,6 +251,7 @@ main(int argc, char *const argv[])
|
2014-03-16 14:39:08 +01:00
|
|
|
fprintf(stderr, "-l ldap url\n");
|
|
|
|
fprintf(stderr, "-b ldap bind path\n");
|
|
|
|
fprintf(stderr, "-s use SSL encryption with Kerberos authentication\n");
|
|
|
|
+ fprintf(stderr, "-x force use of HTTP/ principal on ms ad 2008\n");
|
|
|
|
fprintf(stderr, "-a allow SSL without cert verification\n");
|
|
|
|
fprintf(stderr, "-m maximal depth for recursive searches\n");
|
|
|
|
fprintf(stderr, "-h help\n");
|
|
|
|
Index: helpers/external_acl/kerberos_ldap_group/support.h
|
|
|
|
===================================================================
|
2014-03-17 00:52:40 +01:00
|
|
|
--- helpers/external_acl/kerberos_ldap_group/support.h.orig
|
|
|
|
+++ helpers/external_acl/kerberos_ldap_group/support.h
|
2015-05-22 20:22:37 +02:00
|
|
|
@@ -105,6 +105,7 @@ struct main_args {
|
2014-03-16 14:39:08 +01:00
|
|
|
int rc_allow;
|
|
|
|
int AD;
|
|
|
|
int mdepth;
|
|
|
|
+ int brokenad;
|
|
|
|
char *ddomain;
|
|
|
|
struct gdstruct *groups;
|
|
|
|
struct ndstruct *ndoms;
|
2015-05-22 20:22:37 +02:00
|
|
|
@@ -164,7 +165,7 @@ int create_nd(struct main_args *margs);
|
2014-03-16 14:39:08 +01:00
|
|
|
int create_ls(struct main_args *margs);
|
|
|
|
|
|
|
|
#ifdef HAVE_KRB5
|
|
|
|
-int krb5_create_cache(char *domain);
|
|
|
|
+int krb5_create_cache(struct main_args *margs, char *domain);
|
|
|
|
void krb5_cleanup(void);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
Index: helpers/external_acl/kerberos_ldap_group/support_ldap.cc
|
|
|
|
===================================================================
|
2014-03-17 00:52:40 +01:00
|
|
|
--- helpers/external_acl/kerberos_ldap_group/support_ldap.cc.orig
|
|
|
|
+++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc
|
2015-05-22 20:22:37 +02:00
|
|
|
@@ -898,7 +898,7 @@ get_memberof(struct main_args *margs, ch
|
2014-03-16 14:39:08 +01:00
|
|
|
debug((char *) "%s| %s: DEBUG: Setup Kerberos credential cache\n", LogTime(), PROGRAM);
|
|
|
|
|
2015-04-26 13:20:33 +02:00
|
|
|
#if HAVE_KRB5
|
2014-03-16 14:39:08 +01:00
|
|
|
- kc = krb5_create_cache(domain);
|
|
|
|
+ kc = krb5_create_cache(margs,domain);
|
|
|
|
if (kc) {
|
|
|
|
error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM);
|
|
|
|
}
|