negotiate_kerberos_auth: output group= kv-pair

Output group= if negotiate_kerberos_auth can retrieve AD groups from
Kerberos ticket for further processing by squid to external helpers.

diff --git a/helpers/negotiate_auth/kerberos/negotiate_kerberos.h b/helpers/negotiate_auth/kerberos/negotiate_kerberos.h
index ad4ca0ac34ef25dfec1ea8c34a75e7d57123bdc5..f3ae4e25a208f8c5ff21452e2dbe2a62d7975adb 100644 (file)
--- a/helpers/negotiate_auth/kerberos/negotiate_kerberos.h
+++ b/helpers/negotiate_auth/kerberos/negotiate_kerberos.h
@@ -106,7 +106,7 @@ extern "C" {
 #define MAX_AUTHTOKEN_LEN   65535
 #endif
 #ifndef SQUID_KERB_AUTH_VERSION
-#define SQUID_KERB_AUTH_VERSION "3.0.4sq"
+#define SQUID_KERB_AUTH_VERSION "3.1.0sq"
 #endif
 
 char *gethost_name(void);

diff --git a/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc b/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc
index 1944e4e3cb673cb5f5a3aebf4f660e821ef367a5..f92a6b9cef43fa22f7b8239e8f65b35a3a4e2da0 100644 (file)
--- a/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc
+++ b/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc
@@ -432,12 +432,16 @@ main(int argc, char *const argv[])
                 debug((char *) "%s| %s: DEBUG: Groups %s\n", LogTime(), PROGRAM, ag);
             }
 #endif
-            fprintf(stdout, "AF %s %s\n", token, user);
             rfc_user = rfc1738_escape(user);
+#if HAVE_PAC_SUPPORT
+            fprintf(stdout, "AF %s %s %s\n", token, rfc_user, ag?ag:"group=");
+#else
+            fprintf(stdout, "AF %s %s\n", token, rfc_user);
+#endif
             debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, token, rfc_user);
             if (log)
                 fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
-                        PROGRAM, rfc1738_escape(user));
+                        PROGRAM, rfc_user);
             goto cleanup;
         } else {
             if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log, 1))
@@ -468,12 +472,16 @@ main(int argc, char *const argv[])
             if (norealm && (p = strchr(user, '@')) != NULL) {
                 *p = '\0';
             }
-            fprintf(stdout, "AF %s %s\n", "AA==", user);
-            debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, "AA==", rfc1738_escape(user));
+            rfc_user = rfc1738_escape(user);
+#if HAVE_PAC_SUPPORT
+            fprintf(stdout, "AF %s %s %s\n", "AA==", rfc_user, ag?ag:"group=");
+#else
+            fprintf(stdout, "AF %s %s\n", "AA==", rfc_user);
+#endif
+           debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, "AA==", rfc_user);
             if (log)
                 fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
-                        PROGRAM, rfc1738_escape(user));
-
+                        PROGRAM, rfc_user);
         }
 cleanup:
         gss_release_buffer(&minor_status, &input_token);

diff --git a/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc b/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc
index 31f22114a6bdcb59b6b277d7bfee568cf2bf835f..d88549fb1df034e4d69fcce721a35d87bd0a915a 100644 (file)
--- a/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc
+++ b/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc
@@ -62,7 +62,7 @@ check_k5_err(krb5_context context, const char *function, krb5_error_code code)
 #elif HAVE_KRB5_FREE_ERROR_STRING
         krb5_free_error_string(context, (char *)errmsg);
 #else
-       xfree(errmsg);
+        xfree(errmsg);
 #endif
     }
     return code;