Author: Klaubert Herr <klaubert@gmail.com>

Patch to strip kerberos realm from username

This patch add a new option to squid_ldap_group to strip kerberos realm from
username received from squid.
This is useful when you make kerberos authentication on squid, and try to
authorize the user using ldap in MS Active Directory, quering for
sAMAccountName.

diff --git a/helpers/external_acl/ldap_group/squid_ldap_group.8 b/helpers/external_acl/ldap_group/squid_ldap_group.8
index 543285ad87bec422fee01869a3f0d26ee1d670ea..a15fc8cc4d0d5d381df872e6be6abde754d74189 100644 (file)
--- a/helpers/external_acl/ldap_group/squid_ldap_group.8
+++ b/helpers/external_acl/ldap_group/squid_ldap_group.8
@@ -152,6 +152,10 @@ Specify time limit on LDAP search operations
 Strip NT domain name component from user names (/ or \\ separated)
 .
 .TP
+.BI -K
+Strip Kerberos Realm component from user names (@ separated)
+.
+.TP
 .BI -d
 Debug mode where each step taken will get reported in detail.
 Useful for understanding what goes wrong if the results is

diff --git a/helpers/external_acl/ldap_group/squid_ldap_group.c b/helpers/external_acl/ldap_group/squid_ldap_group.c
index 11e90d6c615d740ad69f30935c8c16848e2154d5..938053fdfbbe46da5a8ed3470439d52649b173c0 100644 (file)
--- a/helpers/external_acl/ldap_group/squid_ldap_group.c
+++ b/helpers/external_acl/ldap_group/squid_ldap_group.c
@@ -217,6 +217,7 @@ main(int argc, char **argv)
     int port = LDAP_PORT;
     int use_extension_dn = 0;
     int strip_nt_domain = 0;
+    int strip_kerberos_realm = 0;
     int err = 0;
 
     setbuf(stdout, NULL);
@@ -372,6 +373,9 @@ main(int argc, char **argv)
        case 'S':
            strip_nt_domain = 1;
            break;
+       case 'K':
+           strip_kerberos_realm = 1;
+           break;
        default:
            fprintf(stderr, PROGRAM_NAME " ERROR: Unknown command line option '%c'\n", option);
            exit(1);
@@ -426,6 +430,7 @@ main(int argc, char **argv)
 #endif
        fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n");
        fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n");
+       fprintf(stderr, "\t-K\t\t\tStrip Kerberos realm from usernames\n");
        fprintf(stderr, "\n");
        fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
        exit(1);
@@ -471,6 +476,12 @@ main(int argc, char **argv)
            if (u && u[1])
                user = u + 1;
        }
+       if (strip_kerberos_realm) {
+           char *u = strchr(user, '@');
+           if (u != NULL) {
+               *u = '\0';
+           }
+       }
        if (use_extension_dn) {
            extension_dn = strtok(NULL, " \n");
            if (!extension_dn) {
@@ -785,7 +796,7 @@ searchLDAP(LDAP * ld, char *group, char *login, char *extension_dn)
 }
 
 
-int 
+int
 readSecret(const char *filename)
 {
     char buf[BUFSIZ];