2014-03-16 14:39:08 +01:00
|
|
|
Index: helpers/external_acl/kerberos_ldap_group/support_krb5.cc
|
|
|
|
===================================================================
|
2014-03-17 00:52:40 +01:00
|
|
|
--- helpers/external_acl/kerberos_ldap_group/support_krb5.cc.orig
|
|
|
|
+++ helpers/external_acl/kerberos_ldap_group/support_krb5.cc
|
2015-12-09 11:01:10 +01:00
|
|
|
@@ -80,7 +80,7 @@ k5_error(const char* msg, krb5_error_cod
|
2014-03-16 14:39:08 +01:00
|
|
|
* create Kerberos memory cache
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
-krb5_create_cache(char *domain)
|
|
|
|
+krb5_create_cache(struct main_args *margs, char *domain)
|
|
|
|
{
|
|
|
|
|
2015-12-09 11:01:10 +01:00
|
|
|
krb5_keytab keytab = NULL;
|
|
|
|
@@ -288,8 +288,17 @@ krb5_create_cache(char *domain)
|
|
|
|
if (code) {
|
|
|
|
k5_error("Error while unparsing principal name",code);
|
|
|
|
} else {
|
|
|
|
- debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name);
|
|
|
|
- found = 1;
|
|
|
|
+ if (margs->brokenad == 1) {
|
|
|
|
+ if (!strncmp(principal_name,"HTTP/",strlen("HTTP/"))==0){
|
|
|
|
+ debug((char *) "%s| %s: DEBUG: Found principal without 'HTTP/' service name: %s NOT USING IT\n", LogTime(), PROGRAM, principal_name);
|
|
|
|
+ } else {
|
|
|
|
+ debug((char *) "%s| %s: DEBUG: Found principal with 'HTTP/' service name: %s\n", LogTime(), PROGRAM, principal_name);
|
|
|
|
+ found = 1;
|
|
|
|
+ }
|
2014-03-16 14:39:08 +01:00
|
|
|
+ } else {
|
2015-12-09 11:01:10 +01:00
|
|
|
+ debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name);
|
2014-03-16 14:39:08 +01:00
|
|
|
+ found = 1;
|
|
|
|
+ }
|
2015-12-09 11:01:10 +01:00
|
|
|
}
|
2014-03-16 14:39:08 +01:00
|
|
|
}
|
2015-04-26 13:20:33 +02:00
|
|
|
#if USE_HEIMDAL_KRB5 || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY )
|
2014-03-16 14:39:08 +01:00
|
|
|
Index: helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc
|
|
|
|
===================================================================
|
2014-03-17 00:52:40 +01:00
|
|
|
--- helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc.orig
|
|
|
|
+++ helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc
|
2015-12-09 11:49:54 +01:00
|
|
|
@@ -79,6 +79,7 @@ init_args(struct main_args *margs)
|
2014-03-16 14:39:08 +01:00
|
|
|
margs->AD = 0;
|
|
|
|
margs->mdepth = 5;
|
2015-12-09 11:01:10 +01:00
|
|
|
margs->nokerberos = 0;
|
2014-03-16 14:39:08 +01:00
|
|
|
+ margs->brokenad = 0;
|
|
|
|
margs->ddomain = NULL;
|
|
|
|
margs->groups = NULL;
|
|
|
|
margs->ndoms = NULL;
|
2015-12-09 11:49:54 +01:00
|
|
|
@@ -202,7 +203,7 @@ main(int argc, char *const argv[])
|
2014-03-16 14:39:08 +01:00
|
|
|
|
|
|
|
init_args(&margs);
|
|
|
|
|
2015-12-09 11:01:10 +01:00
|
|
|
- while (-1 != (opt = getopt(argc, argv, "diasng:D:N:S:u:U:t:T:p:l:b:m:h"))) {
|
|
|
|
+ while (-1 != (opt = getopt(argc, argv, "diasnxg:D:N:S:u:U:t:T:p:l:b:m:h"))) {
|
2014-03-16 14:39:08 +01:00
|
|
|
switch (opt) {
|
|
|
|
case 'd':
|
|
|
|
debug_enabled = 1;
|
2015-12-09 11:49:54 +01:00
|
|
|
@@ -219,6 +220,9 @@ main(int argc, char *const argv[])
|
2015-12-09 11:01:10 +01:00
|
|
|
case 'n':
|
|
|
|
margs.nokerberos = 1;
|
2014-03-16 14:39:08 +01:00
|
|
|
break;
|
|
|
|
+ case 'x':
|
|
|
|
+ margs.brokenad = 1;
|
|
|
|
+ break;
|
2015-12-09 11:01:10 +01:00
|
|
|
case 'g':
|
|
|
|
margs.glist = xstrdup(optarg);
|
|
|
|
break;
|
2015-12-09 11:49:54 +01:00
|
|
|
@@ -274,6 +278,7 @@ main(int argc, char *const argv[])
|
2014-03-16 14:39:08 +01:00
|
|
|
fprintf(stderr, "-l ldap url\n");
|
|
|
|
fprintf(stderr, "-b ldap bind path\n");
|
|
|
|
fprintf(stderr, "-s use SSL encryption with Kerberos authentication\n");
|
|
|
|
+ fprintf(stderr, "-x force use of HTTP/ principal on ms ad 2008\n");
|
|
|
|
fprintf(stderr, "-a allow SSL without cert verification\n");
|
|
|
|
fprintf(stderr, "-m maximal depth for recursive searches\n");
|
|
|
|
fprintf(stderr, "-h help\n");
|
|
|
|
Index: helpers/external_acl/kerberos_ldap_group/support.h
|
|
|
|
===================================================================
|
2014-03-17 00:52:40 +01:00
|
|
|
--- helpers/external_acl/kerberos_ldap_group/support.h.orig
|
|
|
|
+++ helpers/external_acl/kerberos_ldap_group/support.h
|
2015-12-09 11:01:10 +01:00
|
|
|
@@ -106,6 +106,7 @@ struct main_args {
|
2014-03-16 14:39:08 +01:00
|
|
|
int AD;
|
|
|
|
int mdepth;
|
2015-12-09 11:01:10 +01:00
|
|
|
int nokerberos;
|
2014-03-16 14:39:08 +01:00
|
|
|
+ int brokenad;
|
|
|
|
char *ddomain;
|
|
|
|
struct gdstruct *groups;
|
|
|
|
struct ndstruct *ndoms;
|
2015-12-09 11:01:10 +01:00
|
|
|
@@ -181,7 +182,7 @@ struct kstruct {
|
|
|
|
char* mem_ccache[MAX_DOMAINS];
|
|
|
|
int ncache;
|
|
|
|
};
|
2014-03-16 14:39:08 +01:00
|
|
|
-int krb5_create_cache(char *domain);
|
|
|
|
+int krb5_create_cache(struct main_args *margs, char *domain);
|
|
|
|
void krb5_cleanup(void);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
Index: helpers/external_acl/kerberos_ldap_group/support_ldap.cc
|
|
|
|
===================================================================
|
2014-03-17 00:52:40 +01:00
|
|
|
--- helpers/external_acl/kerberos_ldap_group/support_ldap.cc.orig
|
|
|
|
+++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc
|
2015-12-09 11:01:10 +01:00
|
|
|
@@ -902,7 +902,7 @@ get_memberof(struct main_args *margs, ch
|
|
|
|
kc = 1;
|
|
|
|
debug((char *) "%s| %s: DEBUG: Kerberos is disabled. Use username/password with ldap url instead\n", LogTime(), PROGRAM);
|
|
|
|
} else {
|
|
|
|
- kc = krb5_create_cache(domain);
|
|
|
|
+ kc = krb5_create_cache(margs,domain);
|
|
|
|
if (kc) {
|
|
|
|
error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM);
|
|
|
|
}
|