From: Markus Moeller Date: Thu, 21 Aug 2014 17:36:49 +0000 (-0700) Subject: Kerberos ./configure updates and LDAP group helper membership X-Git-Tag: SQUID_3_5_0_1~107 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1a22a39eb25d7172fd7b635582f83293d1157d22;p=thirdparty%2Fsquid.git Kerberos ./configure updates and LDAP group helper membership Rewrite the configure.ac and cleans up some code in the kerberos auth and kerberos ldap helper. Additionally the kerberos ldap helper checks now for AD primary group membership too. --- diff --git a/acinclude/krb5.m4 b/acinclude/krb5.m4 index 946bea8078..4f7434a6cc 100644 --- a/acinclude/krb5.m4 +++ b/acinclude/krb5.m4 @@ -140,22 +140,26 @@ dnl checks that gssapi is ok, and sets squid_cv_working_gssapi accordingly AC_DEFUN([SQUID_CHECK_WORKING_GSSAPI], [ AC_CACHE_CHECK([for working gssapi], squid_cv_working_gssapi, [ AC_RUN_IFELSE([AC_LANG_SOURCE([[ -#ifdef HAVE_HEIMDAL_KERBEROS -#ifdef HAVE_GSSAPI_GSSAPI_H +#if USE_HEIMDAL_KRB5 +#if HAVE_GSSAPI_GSSAPI_H #include -#elif defined(HAVE_GSSAPI_H) +#elif HAVE_GSSAPI_H #include #endif +#elif USE_GNUGSS +#if HAVE_GSS_H +#include +#endif #else -#ifdef HAVE_GSSAPI_GSSAPI_H +#if HAVE_GSSAPI_GSSAPI_H #include -#elif defined(HAVE_GSSAPI_H) +#elif HAVE_GSSAPI_H #include #endif -#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H +#if HAVE_GSSAPI_GSSAPI_KRB5_H #include #endif -#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H +#if HAVE_GSSAPI_GSSAPI_GENERIC_H #include #endif #endif @@ -170,29 +174,35 @@ main(void) return 0; } ]])], [ squid_cv_working_gssapi=yes ], [ squid_cv_working_gssapi=no ], [:])]) +if test "x$squid_cv_working_gssapi" = "xno" -a `echo $LIBS | grep -i -c "\-L"` -gt 0; then + AC_MSG_NOTICE([Check Runtime library path !]) +fi ]) - dnl check for a working spnego, and set squid_cv_have_spnego AC_DEFUN([SQUID_CHECK_SPNEGO_SUPPORT], [ AC_CACHE_CHECK([for spnego support], squid_cv_have_spnego, [ AC_RUN_IFELSE([AC_LANG_SOURCE([[ -#ifdef HAVE_HEIMDAL_KERBEROS -#ifdef HAVE_GSSAPI_GSSAPI_H +#if USE_HEIMDAL_KRB5 +#if HAVE_GSSAPI_GSSAPI_H #include -#elif defined(HAVE_GSSAPI_H) +#elif HAVE_GSSAPI_H #include #endif +#elif USE_GNUGSS +#if HAVE_GSS_H +#include +#endif #else -#ifdef HAVE_GSSAPI_GSSAPI_H +#if HAVE_GSSAPI_GSSAPI_H #include -#elif defined(HAVE_GSSAPI_H) +#elif HAVE_GSSAPI_H #include #endif -#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H +#if HAVE_GSSAPI_GSSAPI_KRB5_H #include #endif -#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H +#if HAVE_GSSAPI_GSSAPI_GENERIC_H #include #endif #endif @@ -223,7 +233,7 @@ dnl checks that krb5 is functional. Sets squid_cv_working_krb5 AC_DEFUN([SQUID_CHECK_WORKING_KRB5],[ AC_CACHE_CHECK([for working krb5], squid_cv_working_krb5, [ AC_RUN_IFELSE([AC_LANG_SOURCE([[ -#ifdef HAVE_KRB5_H +#if HAVE_KRB5_H #if HAVE_BROKEN_SOLARIS_KRB5_H #if defined(__cplusplus) #define KRB5INT_BEGIN_DECLS extern "C" { @@ -250,4 +260,83 @@ main(void) return 0; } ]])], [ squid_cv_working_krb5=yes ], [ squid_cv_working_krb5=no ],[:])]) +if test "x$squid_cv_working_krb5" = "xno" -a `echo $LIBS | grep -i -c "\-L"` -gt 0; then + AC_MSG_NOTICE([Check Runtime library path !]) +fi +]) + + +dnl checks for existence of krb5 functions +AC_DEFUN([SQUID_CHECK_KRB5_FUNCS],[ + + AC_CHECK_LIB(krb5,krb5_get_err_text, + AC_DEFINE(HAVE_KRB5_GET_ERR_TEXT,1, + [Define to 1 if you have krb5_get_err_text]),) + AC_CHECK_LIB(krb5,krb5_get_error_message, + AC_DEFINE(HAVE_KRB5_GET_ERROR_MESSAGE,1, + [Define to 1 if you have krb5_get_error_message]),) + AC_CHECK_DECLS(krb5_kt_free_entry,,,[#include ]) + AC_CHECK_TYPE(krb5_pac, + AC_DEFINE(HAVE_KRB5_PAC,1, + [Define to 1 if you have krb5_pac]),, + [#include ]) + AC_CHECK_LIB(krb5,krb5_kt_free_entry, + AC_DEFINE(HAVE_KRB5_KT_FREE_ENTRY,1, + [Define to 1 if you have krb5_kt_free_entry]),) + AC_CHECK_LIB(krb5,krb5_get_init_creds_keytab, + AC_DEFINE(HAVE_GET_INIT_CREDS_KEYTAB,1, + [Define to 1 if you have krb5_get_init_creds_keytab]),) + AC_CHECK_LIB(krb5,krb5_get_max_time_skew, + AC_DEFINE(HAVE_KRB5_GET_MAX_TIME_SKEW,1, + [Define to 1 if you have krb5_get_max_time_skew]),) + AC_CHECK_LIB(krb5,krb5_get_profile, + AC_DEFINE(HAVE_KRB5_GET_PROFILE,1, + [Define to 1 if you have krb5_get_profile]),) + AC_CHECK_LIB(krb5,profile_get_integer, + AC_DEFINE(HAVE_PROFILE_GET_INTEGER,1, + [Define to 1 if you have profile_get_integer]),) + AC_CHECK_LIB(krb5,profile_release, + AC_DEFINE(HAVE_PROFILE_RELEASE,1, + [Define to 1 if you have profile_release]),) + AC_CHECK_LIB(krb5,krb5_get_renewed_creds, + AC_DEFINE(HAVE_KRB5_GET_RENEWED_CREDS,1, + [Define to 1 if you have krb5_get_renewed_creds]),) + AC_CHECK_LIB(krb5,krb5_principal_get_realm, + AC_DEFINE(HAVE_KRB5_PRINCIPAL_GET_REALM,1, + [Define to 1 if you have krb5_principal_get_realm]),) + AC_CHECK_LIB(krb5, krb5_get_init_creds_opt_alloc, + AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC,1, + [Define to 1 if you have krb5_get_init_creds_opt_alloc]),) + AC_MSG_CHECKING([for krb5_get_init_creds_free requires krb5_context]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #include + ]],[[krb5_context context; + krb5_get_init_creds_opt *options; + krb5_get_init_creds_opt_free(context, options)]])],[ + AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_FREE_CONTEXT,1, + [Define to 1 if you krb5_get_init_creds_free requires krb5_context]) + AC_MSG_RESULT(yes) + ],[AC_MSG_RESULT(no)],[AC_MSG_RESULT(no)]) + + + AC_CHECK_FUNCS(gss_map_name_to_any, + AC_DEFINE(HAVE_GSS_MAP_ANY_TO_ANY,1, + [Define to 1 if you have gss_map_name_to_any]),) + AC_CHECK_FUNCS(gsskrb5_extract_authz_data_from_sec_context, + AC_DEFINE(HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT,1, + [Define to 1 if you have gsskrb5_extract_authz_data_from_sec_context]),) + + SQUID_CHECK_KRB5_CONTEXT_MEMORY_CACHE + SQUID_DEFINE_BOOL(HAVE_KRB5_MEMORY_CACHE,$squid_cv_memory_cache, + [Define if kerberos has MEMORY: cache support]) + + SQUID_CHECK_WORKING_GSSAPI + SQUID_DEFINE_BOOL(HAVE_GSSAPI,$squid_cv_working_gssapi,[GSSAPI support]) + + SQUID_CHECK_SPNEGO_SUPPORT + SQUID_DEFINE_BOOL(HAVE_SPNEGO,$squid_cv_have_spnego,[SPNEGO support]) + + SQUID_CHECK_WORKING_KRB5 + SQUID_DEFINE_BOOL(HAVE_KRB5,$squid_cv_working_krb5,[KRB5 support]) ]) + diff --git a/configure.ac b/configure.ac index 60b18b08fb..99308d13b4 100644 --- a/configure.ac +++ b/configure.ac @@ -1345,6 +1345,684 @@ AC_MSG_NOTICE([OpenSSL library support: ${with_openssl:=no} ${LIBOPENSSL_PATH} $ AM_CONDITIONAL(ENABLE_SSL,[ test "x$with_openssl" = "xyes" ]) AC_SUBST(SSLLIB) +dnl User may specify MIT Kerberos is needed from a non-standard location +AC_ARG_WITH(mit-krb5, + AS_HELP_STRING([--with-mit-krb5=PATH], + [Compile with the MIT Kerberos libraries. The path to + the MIT Kerberos development libraries and headers + installation can be specified if outside of the + system standard directories]), [ +case "$with_mit_krb5" in + yes|no) + : # Nothing special to do here + ;; + *) + if test ! -d "$withval" ; then + AC_MSG_ERROR([--with-mit-krb5 path does not point to a directory]) + fi + if test -d "$with_mit_krb5/lib64" ; then + LIB_KRB5_PATH="-L$with_mit_krb5/lib64 -L$with_mit_krb5/lib" + else + LIB_KRB5_PATH="-L$with_mit_krb5/lib" + fi + CXXFLAGS="-I$with_mit_krb5/include $CXXFLAGS" + krb5confpath="$with_mit_krb5/bin" + with_mit_krb5=yes +esac +]) +AH_TEMPLATE(USE_MIT_KRB5,[MIT Kerberos support is available]) +AH_TEMPLATE(USE_SOLARIS_KRB5,[Solaris Kerberos support is available]) + +dnl User may specify Heimdal Kerberos is needed from a non-standard location +AC_ARG_WITH(heimdal-krb5, + AS_HELP_STRING([--with-heimdal-krb5=PATH], + [Compile with the Heimdal Kerberos libraries. The path to + the Heimdal Kerberos development libraries and headers + installation can be specified if outside of the + system standard directories]), [ +case "$with_heimdal_krb5" in + yes|no) + : # Nothing special to do here + ;; + *) + if test ! -d "$withval" ; then + AC_MSG_ERROR([--with-heimdal-krb5 path does not point to a directory]) + fi + if test -d "$with_heimdal_krb5/lib64" ; then + LIB_KRB5_PATH="-L$with_heimdal_krb5/lib64 -L$with_heimdal_krb5/lib" + else + LIB_KRB5_PATH="-L$with_heimdal_krb5/lib" + fi + CXXFLAGS="-I$with_heimdal_krb5/include $CXXFLAGS" + krb5confpath="$with_heimdal_krb5/bin" + with_heimdal_krb5=yes +esac +]) +AH_TEMPLATE(USE_HEIMDAL_KRB5,[Heimdal Kerberos support is available]) + + + +dnl User may specify GNU gss is needed from a non-standard location +AC_ARG_WITH(gnugss, + AS_HELP_STRING([--with-gnugss=PATH], + [Compile with the GNU gss libraries. The path to + the GNU gss development libraries and headers + installation can be specified if outside of the + system standard directories]), [ +case "$with_gnugss" in + yes|no) + : # Nothing special to do here + ;; + *) + if test ! -d "$withval" ; then + AC_MSG_ERROR([--with-gnugss path does not point to a directory]) + fi + if test ! -d "$with_gnugss/lib64" ; then + LIB_KRB5_PATH="-L$with_gnugss/lib64 -L$with_gnugss/lib" + else + LIB_KRB5_PATH="-L$with_gnugss/lib" + fi + CXXFLAGS="-I$with_gnugss/include $CXXFLAGS" + krb5confpath= + with_gnugss=yes +esac +]) +AH_TEMPLATE(USE_GNUGSS,[GNU gss support is available]) + +# determine krb5 conflicts +ac_with_krb5_count=0 +if test "x$with_mit_krb5" = "xyes"; then + ac_with_krb5_count=`expr $ac_with_krb5_count + 1` +fi +if test "x$with_heimdal_krb5" = "xyes"; then + ac_with_krb5_count=`expr $ac_with_krb5_count + 1` +fi +if test "x$with_gnugss" = "xyes"; then + ac_with_krb5_count=`expr $ac_with_krb5_count + 1` +fi + +if test $ac_with_krb5_count -gt 1 ; then + AC_MSG_ERROR([Please choose only one Kerberos library.]) +elif test $ac_with_krb5_count -eq 0 ; then + # find installed libs via pkg-config or krb5-config + PKG_CHECK_EXISTS(gssapi-krb5 krb5, [with_mit_krb5=yes]) + PKG_CHECK_EXISTS(heimdal-gssapi, [with_heimdal_krb5=yes]) + PKG_CHECK_EXISTS(gss, [with_gnugss=yes]) + if test "x$with_mit_krb5" = "xyes"; then + ac_with_krb5_count=`expr $ac_with_krb5_count + 1` + fi + if test "x$with_heimdal_krb5" = "xyes"; then + ac_with_krb5_count=`expr $ac_with_krb5_count + 1` + fi + if test "x$with_gnugss" = "xyes"; then + ac_with_krb5_count=`expr $ac_with_krb5_count + 1` + fi + if test $ac_with_krb5_count -gt 1 ; then + AC_MSG_ERROR([pkg-config found multiple Kerberos library. Please select one with --with-]) + elif test $ac_with_krb5_count -eq 0 ; then + # Look for krb5-config + AC_PATH_PROG(krb5_config,krb5-config,no) + if test "x$ac_cv_path_krb5_config" != "xno" ; then + krb5confpath="`dirname $ac_cv_path_krb5_config`" + ac_heimdal="`$ac_cv_path_krb5_config --version 2>/dev/null | grep -c -i heimdal`" + ac_solaris="`$ac_cv_path_krb5_config --version 2>/dev/null | grep -c -i solaris`" + if test $ac_heimdal -gt 0 ; then + with_heimdal_krb5=yes + ac_with_krb5_count=1 + fi + if test $ac_solaris -gt 0 ; then + with_solaris_krb5=yes + ac_with_krb5_count=1 + fi + if test $ac_heimdal -eq 0 && test $ac_solaris -eq 0 ; then + with_mit_krb5=yes + ac_with_krb5_count=1 + fi + else + AC_MSG_ERROR([Could not find krb5-config in path]) + fi + fi +fi + +if test "x$with_mit_krb5" = "xyes"; then + SQUID_STATE_SAVE([squid_krb5_save]) + LIBS="$LIBS $LIB_KRB5_PATH" + + # auto-detect using pkg-config + PKG_CHECK_MODULES([LIB_KRB5],[gssapi-krb5 krb5],,[ + # look for krb5-config + if test "x$krb5confpath" = "x" ; then + AC_PATH_PROG(krb5_config,krb5-config,no) + if test "x$ac_cv_path_krb5_config" != "xno" ; then + ac_krb5_config="$ac_cv_path_krb5_config" + fi + else + ac_krb5_config="$krb5confpath/krb5-config" + fi + if test "x$ac_krb5_config" != "x" && test -x "$ac_krb5_config"; then + # Get libs, etc + AC_MSG_NOTICE([Use krb5-config to get CXXFLAGS and LIBS]) + LIB_KRB5_CFLAGS="`$ac_krb5_config --cflags krb5 2>/dev/null`" + LIB_KRB5_LIBS="`$ac_krb5_config --libs krb5 2>/dev/null`" + LIB_KRB5_CFLAGS="`$ac_krb5_config --cflags gssapi 2>/dev/null` $LIB_KRB5_CFLAGS" + LIB_KRB5_LIBS="`$ac_krb5_config --libs gssapi 2>/dev/null` $LIB_KRB5_LIBS" + else + ## For some OS pkg-config is broken or unavailable. + ## Detect libraries the hard way. + + AC_MSG_NOTICE([Try to find Kerberos libraries in given path]) + AC_CHECK_LIB(com_err, [main], [LIB_KRB5_LIBS="-lcom_err $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'com_err' is required for MIT Kerberos]) + ]) + AC_CHECK_LIB(k5crypto, [main], [LIB_KRB5_LIBS="-lk5crypto $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'k5crypto' is required for MIT Kerberos]) + ]) + AC_CHECK_LIB(krb5, [main], [LIB_KRB5_LIBS="-lkrb5 $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'krb5' is required for MIT Kerberos]) + ]) + AC_CHECK_LIB(gssapi_krb5, [main], [LIB_KRB5_LIBS="-lgssapi_krb5 $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'gssapi_krb5' is required for MIT Kerberos]) + ]) + fi + + ]) + + if test "x$LIB_KRB5_LIBS" != "x"; then + KRB5LIBS="$LIB_KRB5_PATH $LIB_KRB5_LIBS $KRB5LIBS" + KRB5INCS="$LIB_KRB5_CFLAGS" + AC_DEFINE(USE_MIT_KRB5,1,[MIT Kerberos support is available]) + KRB5_FLAVOUR="MIT" + + # check for other specific broken implementations + CXXFLAGS="$CXXFLAGS $KRB5INCS" + LIBS="$LIBS $KRB5LIBS" + + AC_MSG_NOTICE([Try to find Kerberos headers in given path]) + AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h gssapi/gssapi_krb5.h) + AC_CHECK_HEADERS(gssapi/gssapi_generic.h) + AC_CHECK_HEADERS(krb5.h com_err.h et/com_err.h) + AC_CHECK_HEADERS(profile.h) + + if test `echo $KRB5LIBS | grep -c com_err` -ne 0 -a "x$ac_com_error_message" = "xyes" ; then + AC_CHECK_LIB(com_err,error_message, + AC_DEFINE(HAVE_ERROR_MESSAGE,1, + [Define to 1 if you have error_message]),) + elif test "x$ac_com_error_message" = "xyes" ; then + AC_CHECK_LIB(krb5,error_message, + AC_DEFINE(HAVE_ERROR_MESSAGE,1, + [Define to 1 if you have error_message]),) + fi + + SQUID_CHECK_KRB5_FUNCS + + fi + if test "x$KRB5LIBS" = "x"; then + AC_MSG_ERROR([Required Kerberos library not found]) + ac_with_krb5_count=0 + fi + + SQUID_STATE_ROLLBACK([squid_krb5_save]) +fi + +if test "x$with_solaris_krb5" = "xyes"; then + SQUID_STATE_SAVE([squid_krb5_save]) + LIBS="$LIBS $LIB_KRB5_PATH" + + # no pkg-config for solaris native Kerberos + # look for krb5-config + if test "x$krb5confpath" = "x" ; then + AC_PATH_PROG(krb5_config,krb5-config,no) + if test "x$ac_cv_path_krb5_config" != "xno" ; then + ac_krb5_config="$ac_cv_path_krb5_config" + fi + else + ac_krb5_config="$krb5confpath/krb5-config" + fi + if test "x$ac_krb5_config" != "x" && test -x "$ac_krb5_config"; then + # Get libs, etc + AC_MSG_NOTICE([Use krb5-config to get CXXFLAGS and LIBS]) + LIB_KRB5_CFLAGS="`$ac_krb5_config --cflags krb5 2>/dev/null`" + LIB_KRB5_LIBS="`$ac_krb5_config --libs krb5 2>/dev/null`" + LIB_KRB5_CFLAGS="`$ac_krb5_config --cflags gssapi 2>/dev/null` $LIB_KRB5_CFLAGS" + LIB_KRB5_LIBS="`$ac_krb5_config --libs gssapi 2>/dev/null` $LIB_KRB5_LIBS" + else + ## For some OS pkg-config is broken or unavailable. + ## Detect libraries the hard way. + + CXXFLAGS="-I/usr/include/kerberosv5 $CXXFLAGS" + + AC_MSG_NOTICE([Try to find Kerberos libraries in given path]) + AC_CHECK_LIB(krb5, [main], [LIB_KRB5_LIBS="-lkrb5 $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'krb5' is required for Solaris Kerberos]) + ]) + AC_CHECK_LIB(gss, [main], [LIB_KRB5_LIBS="-lgss $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'gss' is required for Solaris Kerberos]) + ]) + fi + + if test "x$LIB_KRB5_LIBS" != "x"; then + KRB5LIBS="$LIB_KRB5_PATH $LIB_KRB5_LIBS $KRB5LIBS" + KRB5INCS="$LIB_KRB5_CFLAGS" + AC_DEFINE(USE_SOLARIS_KRB5,1,[Solaris Kerberos support is available]) + KRB5_FLAVOUR="Solaris" + + # check for other specific broken implementations + CXXFLAGS="$CXXFLAGS $KRB5INCS" + LIBS="$LIBS $KRB5LIBS" + + AC_MSG_NOTICE([Try to find Kerberos headers in given path]) + AC_CHECK_HEADERS(gssapi/gssapi.h gssapi/gssapi_ext.h) + AC_CHECK_HEADERS(krb5.h com_err.h) + + SQUID_CHECK_KRB5_SOLARIS_BROKEN_KRB5_H + if test "x$squid_cv_broken_krb5_h" = "xyes"; then + AC_DEFINE(HAVE_BROKEN_SOLARIS_KRB5_H, 1, [Define to 1 if Solaris krb5.h is broken for C++]) + AC_MSG_WARN([You have a broken Solaris system include.]) + AC_MSG_WARN([Please see http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6837512]) + AC_MSG_WARN([If you need Kerberos support you will have to patch]) + AC_MSG_WARN([your system. See contrib/solaris/solaris-krb5-include.patch]) + fi + + SQUID_CHECK_KRB5_FUNCS + + fi + if test "x$KRB5LIBS" = "x"; then + AC_MSG_ERROR([Required Kerberos library not found]) + ac_with_krb5_count=0 + fi + + SQUID_STATE_ROLLBACK([squid_krb5_save]) +fi + +if test "x$with_heimdal_krb5" = "xyes"; then + SQUID_STATE_SAVE([squid_krb5_save]) + LIBS="$LIBS $LIB_KRB5_PATH" + + # auto-detect using pkg-config + PKG_CHECK_MODULES([LIB_KRB5],[heimdal-gssapi],,[ + # look for krb5-config + if test "x$krb5confpath" = "x" ; then + AC_PATH_PROG(krb5_config,krb5-config,no) + if test "x$ac_cv_path_krb5_config" != "xno" ; then + ac_krb5_config="$ac_cv_path_krb5_config" + fi + else + ac_krb5_config="$krb5confpath/krb5-config" + fi + if test "x$ac_krb5_config" != "x" && test -x "$ac_krb5_config"; then + # Get libs, etc + AC_MSG_NOTICE([Use krb5-config to get CXXFLAGS and LIBS]) + LIB_KRB5_CFLAGS="`$ac_krb5_config --cflags krb5 2>/dev/null`" + LIB_KRB5_LIBS="`$ac_krb5_config --libs krb5 2>/dev/null`" + LIB_KRB5_CFLAGS="`$ac_krb5_config --cflags gssapi 2>/dev/null` $LIB_KRB5_CFLAGS" + LIB_KRB5_LIBS="`$ac_krb5_config --libs gssapi 2>/dev/null` $LIB_KRB5_LIBS" + else + ## For some OS pkg-config is broken or unavailable. + ## Detect libraries the hard way. + + AC_MSG_NOTICE([Try to find Kerberos libraries in given path]) + AC_CHECK_LIB(resolv, [main], [LIB_KRB5_LIBS="-lresolv $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'resolv' is required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(crypt, [main], [LIB_KRB5_LIBS="-lcrypt $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'crypt' is required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(roken, [main], [LIB_KRB5_LIBS="-lroken $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'roken' is required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(heimbase, [main], [LIB_KRB5_LIBS="-lheimbase $LIB_KRB5_LIBS"],[ + AC_MSG_WARN([library 'heimbase' may be required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(wind, [main], [LIB_KRB5_LIBS="-lwind $LIB_KRB5_LIBS"],[ + AC_MSG_WARN([library 'wind' may be required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(crypto, [main], [LIB_KRB5_LIBS="-lcrypto $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'crypto' is required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(com_err, [main], [LIB_KRB5_LIBS="-lcom_err $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'com_err' is required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(hx509, [main], [LIB_KRB5_LIBS="-lhx509 $LIB_KRB5_LIBS"],[ + AC_MSG_WARN([library 'hx509' may be required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(asn1, [main], [LIB_KRB5_LIBS="-lasn1 $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'asn1' is required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(krb5, [main], [LIB_KRB5_LIBS="-lkrb5 $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'krb5' is required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(heimntlm, [main], [LIB_KRB5_LIBS="-lheimntlm $LIB_KRB5_LIBS"],[ + AC_MSG_WARN([library 'heimntlm' may be required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(gssapi, [main], [LIB_KRB5_LIBS="-lgssapi $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'gssapi' is required for Heimdal Kerberos]) + ]) + fi + + ]) + if test "x$LIB_KRB5_LIBS" != "x"; then + KRB5LIBS="$LIB_KRB5_PATH $LIB_KRB5_LIBS $KRB5LIBS" + KRB5INCS="$LIB_KRB5_CFLAGS" + AC_DEFINE(USE_HEIMDAL_KRB5,1,[Heimdal Kerberos support is available]) + KRB5_FLAVOUR="Heimdal" + + # check for other specific broken implementations + CXXFLAGS="$CXXFLAGS $KRB5INCS" + LIBS="$LIBS $KRB5LIBS" + + AC_MSG_NOTICE([Try to find Kerberos headers in given path]) + AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h gssapi/gssapi_krb5.h) + AC_CHECK_HEADERS(krb5.h com_err.h et/com_err.h) + + SQUID_CHECK_KRB5_HEIMDAL_BROKEN_KRB5_H + if test "x$squid_cv_broken_heimdal_krb5_h" = "xyes"; then + AC_DEFINE(HAVE_BROKEN_HEIMDAL_KRB5_H, 1, [Define to 1 if Heimdal krb5.h is broken for C++]) + fi + + if test `echo $KRB5LIBS | grep -c com_err` -ne 0 -a "x$ac_com_error_message" = "xyes" ; then + AC_CHECK_LIB(com_err,error_message, + AC_DEFINE(HAVE_ERROR_MESSAGE,1, + [Define to 1 if you have error_message]),) + elif test "x$ac_com_error_message" = "xyes" ; then + AC_CHECK_LIB(krb5,error_message, + AC_DEFINE(HAVE_ERROR_MESSAGE,1, + [Define to 1 if you have error_message]),) + fi + + SQUID_CHECK_KRB5_FUNCS + + fi + if test "x$KRB5LIBS" = "x"; then + AC_MSG_ERROR([Required Kerberos library not found]) + ac_with_krb5_count=0 + fi + + SQUID_STATE_ROLLBACK([squid_krb5_save]) +fi + +if test "x$with_gnugss" = "xyes"; then + SQUID_STATE_SAVE([squid_krb5_save]) + LIBS="$LIBS $LIB_KRB5_PATH" + + # auto-detect using pkg-config + PKG_CHECK_MODULES([LIB_KRB5],[gss],,[ + ## For some OS pkg-config is broken or unavailable. + ## Detect libraries the hard way. + + AC_MSG_NOTICE([Try to find Kerberos libraries in given path]) + AC_CHECK_LIB(gss, [main], [LIB_KRB5_LIBS="-lgss $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'com_err' is required for GNU Kerberos]) + ]) + + ]) + + if test "x$LIB_KRB5_LIBS" != "x"; then + KRB5LIBS="$LIB_KRB5_PATH $LIB_KRB5_LIBS $KRB5LIBS" + KRB5INCS="$LIB_KRB5_CFLAGS" + AC_DEFINE(USE_GNUGSS,1,[GNU Kerberos support is available]) + KRB5_FLAVOUR="GNU GSS" + + # check for other specific broken implementations + CXXFLAGS="$CXXFLAGS $KRB5INCS" + LIBS="$LIBS $KRB5LIBS" + + AC_MSG_NOTICE([Try to find Kerbeors headers in given path]) + AC_CHECK_HEADERS(gss.h) + + SQUID_CHECK_WORKING_GSSAPI + SQUID_DEFINE_BOOL(HAVE_GSSAPI,$squid_cv_working_gssapi,[GSSAPI support]) + + SQUID_CHECK_SPNEGO_SUPPORT + SQUID_DEFINE_BOOL(HAVE_SPNEGO,$squid_cv_have_spnego,[SPNEGO support]) + + SQUID_CHECK_WORKING_KRB5 + SQUID_DEFINE_BOOL(HAVE_KRB5,$squid_cv_working_krb5,[KRB5 support]) + + fi + if test "x$KRB5LIBS" = "x"; then + AC_MSG_ERROR([Required Kerberos library not found]) + ac_with_krb5_count=0 + fi + + SQUID_STATE_ROLLBACK([squid_krb5_save]) +fi +if test $ac_with_krb5_count -gt 0 ; then + with_krb5=yes +fi +AC_MSG_NOTICE([$KRB5_FLAVOUR Kerberos library support: ${with_krb5:=no} ${LIB_KRB5_PATH} ${LIB_KRB5_LIBS}]) +AC_SUBST(KRB5INCS) +AC_SUBST(KRB5LIBS) +AM_CONDITIONAL(HAVE_SPNEGO, test x"$squid_cv_have_spnego" = x"yes" ) + +dnl On MinGW OpenLDAP is not available, so LDAP helpers can be linked +dnl only with Windows LDAP libraries using -lwldap32 +case "$squid_host_os" in + mingw) + LDAPLIB="-lwldap32" + LBERLIB="" + ;; + *) + AC_CHECK_LIB(ldap, ldap_init, [LDAPLIB="-lldap"]) + dnl LDAP helpers need to know if -llber is needed or not + AC_CHECK_LIB(lber, ber_init, [LBERLIB="-llber"]) + dnl if no ldap lib found check for mozilla version + if test "x$ac_cv_lib_ldap_ldap_init" != x""yes; then + oLIBS=$LIBS + LIBS="$LIBPTHREADS" + AC_CHECK_LIB(ldap60, ldap_init, [LDAPLIB="-lldap60"]) + LIBS="$LDAPLIB $LIBPTHREADS" + AC_CHECK_LIB(prldap60, prldap_init, [LDAPLIB="-lprldap60 $LDAPLIB"]) + LIBS="$LDAPLIB $LIBPTHREADS" + AC_CHECK_LIB(ssldap60, ldapssl_init, [LDAPLIB="-lssldap60 $LDAPLIB"]) + LIBS=$oLIBS + fi + + AC_CHECK_HEADERS(ldap.h lber.h) + AC_CHECK_HEADERS(mozldap/ldap.h) + + dnl + dnl Check for LDAP_OPT_DEBUG_LEVEL + dnl + AC_MSG_CHECKING([for LDAP_OPT_DEBUG_LEVEL]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +# include + ]],[[ + int i=LDAP_OPT_DEBUG_LEVEL + ]])], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + dnl + dnl Check for working ldap + dnl + oLIBS=$LIBS + LIBS="$LDAPLIB $LBERLIB $LIBPTHREADS" + AC_MSG_CHECKING([for working ldap]) + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +# define LDAP_DEPRECATED 1 +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif + int + main(void) + { + char host[]=""; + int port; + + ldap_init((const char *)&host, port); + + return 0; + } + ]])], + [ AC_DEFINE(HAVE_LDAP, 1, [LDAP support]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ], + [ AC_MSG_RESULT(cross-compiler cant tell) ]) + LIBS=$oLIBS + + dnl + dnl Check for ldap vendor + dnl + AC_MSG_CHECKING([for OpenLDAP]) + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +# if HAVE_LDAP_H +# include +# endif +# include + int + main(void) + { + return strcmp(LDAP_VENDOR_NAME,"OpenLDAP"); + } + ]])], + [ AC_DEFINE(HAVE_OPENLDAP, 1, [OpenLDAP support]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ], + [ AC_MSG_RESULT(cross-compiler cant tell) ]) + + AC_MSG_CHECKING([for Sun LDAP SDK]) + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +# if HAVE_LDAP_H +# include +# endif +# include + int + main(void) + { + return strcmp(LDAP_VENDOR_NAME,"Sun Microsystems Inc."); + } + ]])], + [ AC_DEFINE(HAVE_SUN_LDAP_SDK, 1, [Sun LDAP SDK support]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ], + [ AC_MSG_RESULT(cross-compiler cant tell) ]) + + AC_MSG_CHECKING([for Mozilla LDAP SDK]) + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif +# include + int + main(void) + { + return strcmp(LDAP_VENDOR_NAME,"mozilla.org"); + } + ]])], + [ AC_DEFINE(HAVE_MOZILLA_LDAP_SDK, 1, [Mozilla LDAP SDK support]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no)], + [ AC_MSG_RESULT(cross-compiler cant tell) ]) + + dnl + dnl Check for LDAP_REBINDPROC_CALLBACK + dnl + AC_MSG_CHECKING([for LDAP_REBINDPROC_CALLBACK]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif + ]],[[ + LDAP_REBINDPROC_CALLBACK ldap_rebind; + ]])], + [ AC_DEFINE(HAVE_LDAP_REBINDPROC_CALLBACK,1,[Define to 1 if you have LDAP_REBINDPROC_CALLBACK]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + dnl + dnl Check for LDAP_REBIND_PROC + dnl + AC_MSG_CHECKING([for LDAP_REBIND_PROC]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif + ]],[[ + LDAP_REBIND_PROC ldap_rebind; + ]])], + [ AC_DEFINE(HAVE_LDAP_REBIND_PROC,1,[Define to 1 if you have LDAP_REBIND_PROC]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + dnl + dnl Check for LDAP_REBIND_FUNCTION + dnl + AC_MSG_CHECKING([for LDAP_REBIND_FUNCTION]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +# define LDAP_REFERRALS +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif + ]],[[ + LDAP_REBIND_FUNCTION ldap_rebind; + ]])], + [ AC_DEFINE(HAVE_LDAP_REBIND_FUNCTION,1,[Define to 1 if you have LDAP_REBIND_FUNCTION]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + dnl + dnl Check for LDAP_SCOPE_DEFAULT + dnl + AC_MSG_CHECKING([for LDAP_SCOPE_DEFAULT]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif + ]],[[ + int i=LDAP_SCOPE_DEFAULT; + ]])], + [ AC_DEFINE(HAVE_LDAP_SCOPE_DEFAULT,1,[Define to 1 if you have LDAP_SCOPE_DEFAULT]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + dnl + dnl Check for ldap_url_desc.lud_scheme + dnl + AC_CHECK_MEMBER(struct ldap_url_desc.lud_scheme, + AC_DEFINE(HAVE_LDAP_URL_LUD_SCHEME,1, + [Define to 1 if you have LDAPURLDesc.lud_scheme]),,[#include ]) + + dnl + dnl Check for ldapssl_client_init + dnl + AC_CHECK_LIB(ldap,ldapssl_client_init, + AC_DEFINE(HAVE_LDAPSSL_CLIENT_INIT,1,[Define to 1 if you have ldapssl_client_init]),) + + dnl + dnl Check for ldap_url_desc2str + dnl + AC_CHECK_LIB(ldap,ldap_url_desc2str, + AC_DEFINE(HAVE_LDAP_URL_DESC2STR,1,[Define to 1 if you have ldap_url_desc2str]),) + + dnl + dnl Check for ldap_url_parse + dnl + AC_CHECK_LIB(ldap,ldap_url_parse, + AC_DEFINE(HAVE_LDAP_URL_PARSE,1,[Define to 1 if you have ldap_url_parse]),) + + dnl + dnl Check for ldap_start_tls_s + dnl + AC_CHECK_LIB(ldap,ldap_start_tls_s, + AC_DEFINE(HAVE_LDAP_START_TLS_S,1,[Define to 1 if you have ldap_start_tls_s]),) + ;; +esac + +AC_SUBST(LDAPLIB) +AC_SUBST(LBERLIB) + AC_ARG_ENABLE(forw-via-db, AS_HELP_STRING([--enable-forw-via-db],[Enable Forw/Via database]), [ SQUID_YESNO([$enableval],[unrecognized argument to --enable-forw-via-db: $enableval]) @@ -1813,198 +2491,32 @@ AC_ARG_ENABLE(auth-digest, Not providing an explicit list of helpers will attempt build of all possible helpers. Default is to do so. To disable the Digest authentication scheme, use --disable-auth-digest. - To enable but build no helpers, specify "none". - To see available helpers, see the helpers/digest_auth directory. ]),[ -#nothing to do, really -]) -m4_include([helpers/digest_auth/modules.m4]) - -dnl Authentication libraries to build -dnl This list will not be needed when each auth library has its own Makefile -dnl this is to be placed AFTER each auth module's handler -AUTH_LIBS_TO_BUILD= -for module in $AUTH_MODULES; do - AUTH_LIBS_TO_BUILD="$AUTH_LIBS_TO_BUILD ${module}/lib${module}.la" -done -AC_SUBST(AUTH_MODULES) -AC_SUBST(AUTH_LIBS_TO_BUILD) - -dnl Select logging daemon helpers to build -AC_ARG_ENABLE(log-daemon-helpers, - AS_HELP_STRING([--enable-log-daemon-helpers="list of helpers"], - [This option selects which logging daemon helpers to - build and install as part of the normal build process - For a list of available helpers see the helpers/log_daemon - directory.]),[ -#nothing to do, really -]) -m4_include([helpers/log_daemon/modules.m4]) - -dnl -dnl Check Kerberos/GSSAPI/SPNEGO -dnl -SQUID_STATE_SAVE([krbsave]) - -AC_ARG_WITH(krb5-config, - AS_HELP_STRING([--with-krb5-config=PATH], - [specify path to krb5-config (default=detect)]), [ -case "$withval" in - yes) unset krb5confpath ;; - no) krb5confpath=no ;; - *) krb5confpath=$withval ;; -esac -]) -if test x"$krb5confpath" != "xno"; then - if test "x$krb5confpath" != "x"; then - if ! test -x "$krb5confpath"; then - AC_MSG_WARN([krb5-config '$krb5confpath' not executable, ignoring]) - AC_CHECK_PROG(ac_krb5_config, krb5-config, yes, no) - krb5confpath=krb5-config - fi - krb5_config_path=`dirname $krb5confpath` - AC_CHECK_PROG(ac_krb5_config, krb5-config, yes, no, $krb5_config_path) - else - AC_CHECK_PROG(ac_krb5_config,krb5-config,yes,no) - krb5confpath=krb5-config - fi -fi -if test "x$ac_krb5_config" = "xyes" ; then - ac_heimdal="`$krb5confpath --version 2>/dev/null | grep -i heimdal`" - ac_solaris="`$krb5confpath --version 2>/dev/null | grep -i solaris`" - if test "x$ac_heimdal" != "x" ; then - AC_DEFINE(HAVE_HEIMDAL_KERBEROS,1,[Define to 1 if you have Heimdal Kerberos]) - else - AC_DEFINE(HAVE_MIT_KERBEROS,1,[Define to 1 if you have MIT Kerberos]) - fi - if test "x$ac_solaris" != "x" ; then - KRB5INCS="`$krb5confpath --cflags krb5 2>/dev/null`" - KRB5LIBS="`$krb5confpath --libs krb5 2>/dev/null`" - KRB5INCS="-I/usr/include/gssapi $KRB5INCS" - KRB5LIBS="-L/usr/lib -R/usr/lib -lgss -lresolv -lsocket -lnsl $KRB5LIBS" - else - KRB5INCS="`$krb5confpath --cflags krb5 2>/dev/null`" - KRB5LIBS="`$krb5confpath --libs krb5 2>/dev/null`" - KRB5INCS="`$krb5confpath --cflags gssapi 2>/dev/null` $KRB5INCS" - KRB5LIBS="`$krb5confpath --libs gssapi 2>/dev/null` $KRB5LIBS" - fi - CPPFLAGS="$CPPFLAGS $KRB5INCS" - LIBS="$LIBS $KRB5LIBS" - AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h gssapi/gssapi_krb5.h) - if test "x$ac_heimdal" = "x" ; then - AC_CHECK_HEADERS(gssapi/gssapi_generic.h) - AC_CHECK_HEADERS(profile.h) - fi - - SQUID_CHECK_KRB5_SOLARIS_BROKEN_KRB5_H - if test "x$squid_cv_broken_krb5_h" = "xyes"; then - AC_DEFINE(HAVE_BROKEN_SOLARIS_KRB5_H, 1, [Define to 1 if Solaris krb5.h is broken for C++]) - AC_MSG_WARN([You have a broken Solaris system include.]) - AC_MSG_WARN([Please see http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6837512]) - AC_MSG_WARN([If you need Kerberos support you'll have to patch]) - AC_MSG_WARN([your system. See contrib/solaris/solaris-krb5-include.patch]) - fi - SQUID_CHECK_KRB5_HEIMDAL_BROKEN_KRB5_H - if test "x$squid_cv_broken_heimdal_krb5_h" = "xyes"; then - AC_DEFINE(HAVE_BROKEN_HEIMDAL_KRB5_H, 1, [Define to 1 if Heimdal krb5.h is broken for C++]) - fi - AC_CHECK_HEADERS(krb5.h com_err.h et/com_err.h) - - ac_com_error_message=no - if test "x$ac_cv_header_com_err_h" = "xyes" ; then - AC_EGREP_HEADER(error_message,com_err.h,ac_com_error_message=yes) - elif test "x$ac_cv_header_et_com_err_h" = "xyes" ; then - AC_EGREP_HEADER(error_message,et/com_err.h,ac_com_error_message=yes) - fi + To enable but build no helpers, specify "none". + To see available helpers, see the helpers/digest_auth directory. ]),[ +#nothing to do, really +]) +m4_include([helpers/digest_auth/modules.m4]) - SQUID_CHECK_MAX_SKEW_IN_KRB5_CONTEXT - if test "x$squid_cv_max_skew_context" = "xyes"; then - AC_DEFINE(HAVE_MAX_SKEW_IN_KRB5_CONTEXT, 1, [Define to 1 if max_skew in struct krb5_context]) - fi +dnl Authentication libraries to build +dnl This list will not be needed when each auth library has its own Makefile +dnl this is to be placed AFTER each auth module's handler +AUTH_LIBS_TO_BUILD= +for module in $AUTH_MODULES; do + AUTH_LIBS_TO_BUILD="$AUTH_LIBS_TO_BUILD ${module}/lib${module}.la" +done +AC_SUBST(AUTH_MODULES) +AC_SUBST(AUTH_LIBS_TO_BUILD) - if test `echo $KRB5LIBS | grep -c com_err` -ne 0 -a "x$ac_com_error_message" = "xyes" ; then - AC_CHECK_LIB(com_err,error_message, - AC_DEFINE(HAVE_ERROR_MESSAGE,1, - [Define to 1 if you have error_message]),) - elif test "x$ac_com_error_message" = "xyes" ; then - AC_CHECK_LIB(krb5,error_message, - AC_DEFINE(HAVE_ERROR_MESSAGE,1, - [Define to 1 if you have error_message]),) - fi - AC_CHECK_LIB(krb5,krb5_get_err_text, - AC_DEFINE(HAVE_KRB5_GET_ERR_TEXT,1, - [Define to 1 if you have krb5_get_err_text]),) - AC_CHECK_LIB(krb5,krb5_get_error_message, - AC_DEFINE(HAVE_KRB5_GET_ERROR_MESSAGE,1, - [Define to 1 if you have krb5_get_error_message]),) - AC_CHECK_DECLS(krb5_kt_free_entry,,,[#include ]) - AC_CHECK_TYPE(krb5_pac, - AC_DEFINE(HAVE_KRB5_PAC,1, - [Define to 1 if you have krb5_pac]),, - [#include ]) - AC_CHECK_LIB(krb5,krb5_kt_free_entry, - AC_DEFINE(HAVE_KRB5_KT_FREE_ENTRY,1, - [Define to 1 if you have krb5_kt_free_entry]),) - AC_CHECK_LIB(krb5,krb5_get_init_creds_keytab, - AC_DEFINE(HAVE_GET_INIT_CREDS_KEYTAB,1, - [Define to 1 if you have krb5_get_init_creds_keytab]),) - AC_CHECK_LIB(krb5,krb5_get_max_time_skew, - AC_DEFINE(HAVE_KRB5_GET_MAX_TIME_SKEW,1, - [Define to 1 if you have krb5_get_max_time_skew]),) - AC_CHECK_LIB(krb5,krb5_get_profile, - AC_DEFINE(HAVE_KRB5_GET_PROFILE,1, - [Define to 1 if you have krb5_get_profile]),) - AC_CHECK_LIB(krb5,profile_get_integer, - AC_DEFINE(HAVE_PROFILE_GET_INTEGER,1, - [Define to 1 if you have profile_get_integer]),) - AC_CHECK_LIB(krb5,profile_release, - AC_DEFINE(HAVE_PROFILE_RELEASE,1, - [Define to 1 if you have profile_release]),) - AC_CHECK_LIB(krb5,krb5_get_renewed_creds, - AC_DEFINE(HAVE_KRB5_GET_RENEWED_CREDS,1, - [Define to 1 if you have krb5_get_renewed_creds]),) - AC_CHECK_LIB(krb5,krb5_principal_get_realm, - AC_DEFINE(HAVE_KRB5_PRINCIPAL_GET_REALM,1, - [Define to 1 if you have krb5_principal_get_realm]),) - AC_CHECK_LIB(krb5, krb5_get_init_creds_opt_alloc, - AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC,1, - [Define to 1 if you have krb5_get_init_creds_opt_alloc]),) - AC_MSG_CHECKING([for krb5_get_init_creds_free requires krb5_context]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ - #include - ]],[[krb5_context context; - krb5_get_init_creds_opt *options; - krb5_get_init_creds_opt_free(context, options)]])],[ - AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_FREE_CONTEXT,1, - [Define to 1 if you krb5_get_init_creds_free requires krb5_context]) - AC_MSG_RESULT(yes) - ],[AC_MSG_RESULT(no)],[AC_MSG_RESULT(no)]) - - - AC_CHECK_FUNCS(gss_map_name_to_any, - AC_DEFINE(HAVE_GSS_MAP_ANY_TO_ANY,1, - [Define to 1 if you have gss_map_name_to_any]),) - AC_CHECK_FUNCS(gsskrb5_extract_authz_data_from_sec_context, - AC_DEFINE(HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT,1, - [Define to 1 if you have gsskrb5_extract_authz_data_from_sec_context]),) - - SQUID_CHECK_KRB5_CONTEXT_MEMORY_CACHE - SQUID_DEFINE_BOOL(HAVE_KRB5_MEMORY_CACHE,$squid_cv_memory_cache, - [Define if kerberos has MEMORY: cache support]) - - SQUID_CHECK_WORKING_GSSAPI - SQUID_DEFINE_BOOL(HAVE_GSSAPI,$squid_cv_working_gssapi,[GSSAPI support]) - - SQUID_CHECK_SPNEGO_SUPPORT - SQUID_DEFINE_BOOL(HAVE_SPNEGO,$squid_cv_have_spnego,[SPNEGO support]) - - SQUID_CHECK_WORKING_KRB5 - SQUID_DEFINE_BOOL(HAVE_KRB5,$squid_cv_working_krb5,[KRB5 support]) - - AC_SUBST(KRB5INCS) - AC_SUBST(KRB5LIBS) -fi -SQUID_STATE_ROLLBACK([krbsave]) -AM_CONDITIONAL(HAVE_SPNEGO, test x"$squid_cv_have_spnego" = x"yes" ) +dnl Select logging daemon helpers to build +AC_ARG_ENABLE(log-daemon-helpers, + AS_HELP_STRING([--enable-log-daemon-helpers="list of helpers"], + [This option selects which logging daemon helpers to + build and install as part of the normal build process + For a list of available helpers see the helpers/log_daemon + directory.]),[ +#nothing to do, really +]) +m4_include([helpers/log_daemon/modules.m4]) AC_ARG_ENABLE(external-acl-helpers, AS_HELP_STRING([--enable-external-acl-helpers="list of helpers"], @@ -2634,235 +3146,6 @@ case "$host" in ;; esac -dnl On MinGW OpenLDAP is not available, so LDAP helpers can be linked -dnl only with Windows LDAP libraries using -lwldap32 -case "$squid_host_os" in - mingw) - LDAPLIB="-lwldap32" - LBERLIB="" - ;; - *) - AC_CHECK_LIB(ldap, ldap_init, [LDAPLIB="-lldap"]) - dnl LDAP helpers need to know if -llber is needed or not - AC_CHECK_LIB(lber, ber_init, [LBERLIB="-llber"]) - dnl if no ldap lib found check for mozilla version - if test "x$ac_cv_lib_ldap_ldap_init" != x""yes; then - oLIBS=$LIBS - LIBS="$LIBPTHREADS" - AC_CHECK_LIB(ldap60, ldap_init, [LDAPLIB="-lldap60"]) - LIBS="$LDAPLIB $LIBPTHREADS" - AC_CHECK_LIB(prldap60, prldap_init, [LDAPLIB="-lprldap60 $LDAPLIB"]) - LIBS="$LDAPLIB $LIBPTHREADS" - AC_CHECK_LIB(ssldap60, ldapssl_init, [LDAPLIB="-lssldap60 $LDAPLIB"]) - LIBS=$oLIBS - fi - - AC_CHECK_HEADERS(ldap.h lber.h) - AC_CHECK_HEADERS(mozldap/ldap.h) - - dnl - dnl Check for LDAP_OPT_DEBUG_LEVEL - dnl - AC_MSG_CHECKING([for LDAP_OPT_DEBUG_LEVEL]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ -# include - ]],[[ - int i=LDAP_OPT_DEBUG_LEVEL - ]])], - [ AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) ]) - - dnl - dnl Check for working ldap - dnl - oLIBS=$LIBS - LIBS="$LDAPLIB $LBERLIB $LIBPTHREADS" - AC_MSG_CHECKING([for working ldap]) - AC_RUN_IFELSE([AC_LANG_SOURCE([[ -# define LDAP_DEPRECATED 1 -# if HAVE_LDAP_H -# include -# elif HAVE_MOZLDAP_LDAP_H -# include -# endif - int - main(void) - { - char host[]=""; - int port; - - ldap_init((const char *)&host, port); - - return 0; - } - ]])], - [ AC_DEFINE(HAVE_LDAP, 1, [LDAP support]) - AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) ], - [ AC_MSG_RESULT(cross-compiler cant tell) ]) - LIBS=$oLIBS - - dnl - dnl Check for ldap vendor - dnl - AC_MSG_CHECKING([for OpenLDAP]) - AC_RUN_IFELSE([AC_LANG_SOURCE([[ -# if HAVE_LDAP_H -# include -# endif -# include - int - main(void) - { - return strcmp(LDAP_VENDOR_NAME,"OpenLDAP"); - } - ]])], - [ AC_DEFINE(HAVE_OPENLDAP, 1, [OpenLDAP support]) - AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) ], - [ AC_MSG_RESULT(cross-compiler cant tell) ]) - - AC_MSG_CHECKING([for Sun LDAP SDK]) - AC_RUN_IFELSE([AC_LANG_SOURCE([[ -# if HAVE_LDAP_H -# include -# endif -# include - int - main(void) - { - return strcmp(LDAP_VENDOR_NAME,"Sun Microsystems Inc."); - } - ]])], - [ AC_DEFINE(HAVE_SUN_LDAP_SDK, 1, [Sun LDAP SDK support]) - AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) ], - [ AC_MSG_RESULT(cross-compiler cant tell) ]) - - AC_MSG_CHECKING([for Mozilla LDAP SDK]) - AC_RUN_IFELSE([AC_LANG_SOURCE([[ -# if HAVE_LDAP_H -# include -# elif HAVE_MOZLDAP_LDAP_H -# include -# endif -# include - int - main(void) - { - return strcmp(LDAP_VENDOR_NAME,"mozilla.org"); - } - ]])], - [ AC_DEFINE(HAVE_MOZILLA_LDAP_SDK, 1, [Mozilla LDAP SDK support]) - AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no)], - [ AC_MSG_RESULT(cross-compiler cant tell) ]) - - dnl - dnl Check for LDAP_REBINDPROC_CALLBACK - dnl - AC_MSG_CHECKING([for LDAP_REBINDPROC_CALLBACK]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ -# if HAVE_LDAP_H -# include -# elif HAVE_MOZLDAP_LDAP_H -# include -# endif - ]],[[ - LDAP_REBINDPROC_CALLBACK ldap_rebind; - ]])], - [ AC_DEFINE(HAVE_LDAP_REBINDPROC_CALLBACK,1,[Define to 1 if you have LDAP_REBINDPROC_CALLBACK]) - AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) ]) - - dnl - dnl Check for LDAP_REBIND_PROC - dnl - AC_MSG_CHECKING([for LDAP_REBIND_PROC]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ -# if HAVE_LDAP_H -# include -# elif HAVE_MOZLDAP_LDAP_H -# include -# endif - ]],[[ - LDAP_REBIND_PROC ldap_rebind; - ]])], - [ AC_DEFINE(HAVE_LDAP_REBIND_PROC,1,[Define to 1 if you have LDAP_REBIND_PROC]) - AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) ]) - - dnl - dnl Check for LDAP_REBIND_FUNCTION - dnl - AC_MSG_CHECKING([for LDAP_REBIND_FUNCTION]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ -# define LDAP_REFERRALS -# if HAVE_LDAP_H -# include -# elif HAVE_MOZLDAP_LDAP_H -# include -# endif - ]],[[ - LDAP_REBIND_FUNCTION ldap_rebind; - ]])], - [ AC_DEFINE(HAVE_LDAP_REBIND_FUNCTION,1,[Define to 1 if you have LDAP_REBIND_FUNCTION]) - AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) ]) - - dnl - dnl Check for LDAP_SCOPE_DEFAULT - dnl - AC_MSG_CHECKING([for LDAP_SCOPE_DEFAULT]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ -# if HAVE_LDAP_H -# include -# elif HAVE_MOZLDAP_LDAP_H -# include -# endif - ]],[[ - int i=LDAP_SCOPE_DEFAULT; - ]])], - [ AC_DEFINE(HAVE_LDAP_SCOPE_DEFAULT,1,[Define to 1 if you have LDAP_SCOPE_DEFAULT]) - AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) ]) - - dnl - dnl Check for ldap_url_desc.lud_scheme - dnl - AC_CHECK_MEMBER(struct ldap_url_desc.lud_scheme, - AC_DEFINE(HAVE_LDAP_URL_LUD_SCHEME,1, - [Define to 1 if you have LDAPURLDesc.lud_scheme]),,[#include ]) - - dnl - dnl Check for ldapssl_client_init - dnl - AC_CHECK_LIB(ldap,ldapssl_client_init, - AC_DEFINE(HAVE_LDAPSSL_CLIENT_INIT,1,[Define to 1 if you have ldapssl_client_init]),) - - dnl - dnl Check for ldap_url_desc2str - dnl - AC_CHECK_LIB(ldap,ldap_url_desc2str, - AC_DEFINE(HAVE_LDAP_URL_DESC2STR,1,[Define to 1 if you have ldap_url_desc2str]),) - - dnl - dnl Check for ldap_url_parse - dnl - AC_CHECK_LIB(ldap,ldap_url_parse, - AC_DEFINE(HAVE_LDAP_URL_PARSE,1,[Define to 1 if you have ldap_url_parse]),) - - dnl - dnl Check for ldap_start_tls_s - dnl - AC_CHECK_LIB(ldap,ldap_start_tls_s, - AC_DEFINE(HAVE_LDAP_START_TLS_S,1,[Define to 1 if you have ldap_start_tls_s]),) - ;; -esac - -AC_SUBST(LDAPLIB) -AC_SUBST(LBERLIB) - dnl Check for libdb dnl this is not fully functional if db.h is for a differend db version DBLIB= diff --git a/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc b/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc index 73211d943c..51c0e3c65c 100644 --- a/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc +++ b/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc @@ -34,7 +34,7 @@ #include "rfc1738.h" #include "util.h" -#ifdef HAVE_LDAP +#if HAVE_LDAP #include "support.h" #include @@ -165,7 +165,6 @@ main(int argc, char *const argv[]) char *user, *domain, *group; char *up=NULL, *dp=NULL, *np=NULL; char *nuser, *nuser8 = NULL, *netbios; - char *c; int opt; struct main_args margs; @@ -296,6 +295,7 @@ main(int argc, char *const argv[]) exit(1); } while (1) { + char *c; if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) { if (ferror(stdin)) { debug((char *) "%s| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n", LogTime(), PROGRAM, ferror(stdin), diff --git a/helpers/external_acl/kerberos_ldap_group/required.m4 b/helpers/external_acl/kerberos_ldap_group/required.m4 index b8414053a3..c8076adaa1 100644 --- a/helpers/external_acl/kerberos_ldap_group/required.m4 +++ b/helpers/external_acl/kerberos_ldap_group/required.m4 @@ -1,2 +1,4 @@ -AC_CHECK_HEADERS([ldap.h],[BUILD_HELPER="kerberos_ldap_group"]) -SQUID_CHECK_SASL +if test "x$with_krb5" == "xyes"; then + BUILD_HELPER="kerberos_ldap_group" + SQUID_CHECK_SASL +fi diff --git a/helpers/external_acl/kerberos_ldap_group/support.h b/helpers/external_acl/kerberos_ldap_group/support.h index 127b5340d6..38e2cd6dbe 100644 --- a/helpers/external_acl/kerberos_ldap_group/support.h +++ b/helpers/external_acl/kerberos_ldap_group/support.h @@ -47,7 +47,7 @@ extern "C" { #if HAVE_COM_ERR_H #include -#elif HAVE_HEIMDAL_KERBEROS +#elif USE_HEIMDAL_KRB5 #define error_message(code) krb5_get_err_text(kparam.context,code) #endif /* HAVE_COM_ERR_H */ @@ -162,7 +162,7 @@ size_t get_ldap_hostname_list(struct main_args *margs, struct hstruct **hlist, s size_t get_hostname_list(struct hstruct **hlist, size_t nhosts, char *name); size_t free_hostname_list(struct hstruct **hlist, size_t nhosts); -#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +#if HAVE_SASL_H || HAVE_SASL_SASL_H || HAVE_SASL_DARWIN int tool_sasl_bind(LDAP * ld, char *binddn, char *ssl); #endif diff --git a/helpers/external_acl/kerberos_ldap_group/support_group.cc b/helpers/external_acl/kerberos_ldap_group/support_group.cc index 1b9209ce85..aab599880f 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_group.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_group.cc @@ -26,7 +26,7 @@ #include "squid.h" #include "util.h" -#ifdef HAVE_LDAP +#if HAVE_LDAP #include "support.h" @@ -61,10 +61,9 @@ char * utf8dup(struct main_args *margs) { size_t c = 0; - unsigned char s; size_t n; char *src; - unsigned char *p, *dupp; + unsigned char *p; src = margs->glist; if (!src) @@ -73,9 +72,11 @@ utf8dup(struct main_args *margs) if ((unsigned char) src[n] > 127) ++c; if (c != 0) { + unsigned char *dupp; p = (unsigned char *) xmalloc(strlen(src) + c); dupp = p; for (n = 0; n < strlen(src); ++n) { + unsigned char s; s = (unsigned char) src[n]; if (s > 127 && s < 192) { *p = 194; diff --git a/helpers/external_acl/kerberos_ldap_group/support_krb5.cc b/helpers/external_acl/kerberos_ldap_group/support_krb5.cc index eb0a4f9cb2..8316b085a9 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_krb5.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_krb5.cc @@ -25,13 +25,12 @@ #include "squid.h" #include "util.h" -#if defined(HAVE_LDAP) && defined(HAVE_KRB5) +#if HAVE_LDAP && HAVE_KRB5 #include "support.h" struct kstruct { krb5_context context; - char *mem_cache_env; krb5_ccache cc; }; @@ -115,12 +114,12 @@ krb5_create_cache(char *domain) principal_list = (krb5_principal *) xrealloc(principal_list, sizeof(krb5_principal) * (nprinc + 1)); krb5_copy_principal(kparam.context, entry.principal, &principal_list[nprinc++]); -#ifdef HAVE_HEIMDAL_KERBEROS +#if USE_HEIMDAL_KRB5 debug((char *) "%s| %s: DEBUG: Keytab entry has realm name: %s\n", LogTime(), PROGRAM, entry.principal->realm); #else debug((char *) "%s| %s: DEBUG: Keytab entry has realm name: %s\n", LogTime(), PROGRAM, krb5_princ_realm(kparam.context, entry.principal)->data); #endif -#ifdef HAVE_HEIMDAL_KERBEROS +#if USE_HEIMDAL_KRB5 if (!strcasecmp(domain, entry.principal->realm)) #else if (!strcasecmp(domain, krb5_princ_realm(kparam.context, entry.principal)->data)) @@ -134,7 +133,7 @@ krb5_create_cache(char *domain) found = 1; } } -#if defined(HAVE_HEIMDAL_KERBEROS) || ( defined(HAVE_KRB5_KT_FREE_ENTRY) && HAVE_DECL_KRB5_KT_FREE_ENTRY==1) +#if USE_HEIMDAL_KRB5 || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY ) code = krb5_kt_free_entry(kparam.context, &entry); #else code = krb5_free_keytab_entry_contents(kparam.context, &entry); @@ -162,7 +161,7 @@ krb5_create_cache(char *domain) /* * prepare memory credential cache */ -#if !defined(HAVE_KRB5_MEMORY_CACHE) || defined(HAVE_SUN_LDAP_SDK) +#if !HAVE_KRB5_MEMORY_CACHE || HAVE_SUN_LDAP_SDK mem_cache = (char *) xmalloc(strlen("FILE:/tmp/squid_ldap_") + 16); snprintf(mem_cache, strlen("FILE:/tmp/squid_ldap_") + 16, "FILE:/tmp/squid_ldap_%d", (int) getpid()); #else @@ -226,7 +225,7 @@ krb5_create_cache(char *domain) } if (creds->server) krb5_free_principal(kparam.context, creds->server); -#ifdef HAVE_HEIMDAL_KERBEROS +#if USE_HEIMDAL_KRB5 service = (char *) xmalloc(strlen("krbtgt") + strlen(domain) + strlen(principal_list[i]->realm) + 3); snprintf(service, strlen("krbtgt") + strlen(domain) + strlen(principal_list[i]->realm) + 3, "krbtgt/%s@%s", domain, principal_list[i]->realm); #else @@ -260,7 +259,6 @@ loop_end: } - safe_free(principal_name); if (creds) krb5_free_creds(kparam.context, creds); creds = NULL; diff --git a/helpers/external_acl/kerberos_ldap_group/support_ldap.cc b/helpers/external_acl/kerberos_ldap_group/support_ldap.cc index 553770b57b..68f759b981 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_ldap.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_ldap.cc @@ -42,20 +42,24 @@ LDAP *tool_ldap_open(struct main_args *margs, char *host, int port, char *ssl); #define FILTER "(memberuid=%s)" #define ATTRIBUTE "cn" +#define ATTRIBUTE_DN "distinguishedName" #define FILTER_UID "(uid=%s)" #define FILTER_GID "(&(gidNumber=%s)(objectclass=posixgroup))" #define ATTRIBUTE_GID "gidNumber" +#define ATTRIBUTE_GID_AD "primaryGroupID" +#define ATTRIBUTE_SID "objectSID" #define FILTER_AD "(samaccountname=%s)" #define ATTRIBUTE_AD "memberof" size_t get_attributes(LDAP * ld, LDAPMessage * res, const char *attribute /* IN */ , char ***out_val /* OUT (caller frees) */ ); +size_t get_bin_attributes(LDAP * ld, LDAPMessage * res, const char *attribute /* IN */ , char ***out_val , int **out_len /* OUT (caller frees) */ ); int search_group_tree(struct main_args *margs, LDAP * ld, char *bindp, char *ldap_group, char *group, int depth); -#if defined(HAVE_SUN_LDAP_SDK) || defined(HAVE_MOZILLA_LDAP_SDK) -#ifdef HAVE_LDAP_REBINDPROC_CALLBACK +#if HAVE_SUN_LDAP_SDK || HAVE_MOZILLA_LDAP_SDK +#if HAVE_LDAP_REBINDPROC_CALLBACK -#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +#if HAVE_SASL_H || HAVE_SASL_SASL_H || HAVE_SASL_DARWIN static LDAP_REBINDPROC_CALLBACK ldap_sasl_rebind; static int LDAP_CALL LDAP_CALLBACK @@ -94,8 +98,8 @@ ldap_simple_rebind( freeit = freeit; return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE); } -#elif defined(HAVE_LDAP_REBIND_PROC) -#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +#elif HAVE_LDAP_REBIND_PROC +#if HAVE_SASL_H || HAVE_SASL_SASL_H || HAVE_SASL_DARWIN static LDAP_REBIND_PROC ldap_sasl_rebind; static int @@ -125,11 +129,11 @@ ldap_simple_rebind( return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE); } -#elif defined(HAVE_LDAP_REBIND_FUNCTION) +#elif HAVE_LDAP_REBIND_FUNCTION #ifndef LDAP_REFERRALS #define LDAP_REFERRALS #endif -#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +#if HAVE_SASL_H || HAVE_SASL_SASL_H || HAVE_SASL_DARWIN static LDAP_REBIND_FUNCTION ldap_sasl_rebind; static int @@ -172,7 +176,7 @@ ldap_simple_rebind( #error "No rebind functione defined" #endif #else /* HAVE_SUN_LDAP_SDK */ -#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +#if HAVE_SASL_H || HAVE_SASL_SASL_H || HAVE_SASL_DARWIN static LDAP_REBIND_PROC ldap_sasl_rebind; static int @@ -333,6 +337,7 @@ search_group_tree(struct main_args *margs, LDAP * ld, char *bindp, char *ldap_gr size_t max_attr = 0; char *filter = NULL; char *search_exp = NULL; + size_t se_len = 0; int rc = 0, retval = 0; int ldepth; char *ldap_filter_esc = NULL; @@ -351,8 +356,9 @@ search_group_tree(struct main_args *margs, LDAP * ld, char *bindp, char *ldap_gr ldap_filter_esc = escape_filter(ldap_group); - search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); - snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); + se_len = strlen(filter) + strlen(ldap_filter_esc) + 1; + search_exp = (char *) xmalloc(se_len); + snprintf(search_exp, se_len, filter, ldap_filter_esc); xfree(ldap_filter_esc); @@ -369,7 +375,6 @@ search_group_tree(struct main_args *margs, LDAP * ld, char *bindp, char *ldap_gr if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind_s(ld); return 0; } debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); @@ -449,7 +454,7 @@ int ldap_set_defaults(LDAP * ld) { int val, rc = 0; -#ifdef LDAP_OPT_NETWORK_TIMEOUT +#if LDAP_OPT_NETWORK_TIMEOUT struct timeval tv; #endif val = LDAP_VERSION3; @@ -463,7 +468,7 @@ ldap_set_defaults(LDAP * ld) debug((char *) "%s| %s: DEBUG: Error while setting referrals off: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); return rc; } -#ifdef LDAP_OPT_NETWORK_TIMEOUT +#if LDAP_OPT_NETWORK_TIMEOUT tv.tv_sec = CONNECT_TIMEOUT; tv.tv_usec = 0; rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); @@ -478,16 +483,16 @@ ldap_set_defaults(LDAP * ld) int ldap_set_ssl_defaults(struct main_args *margs) { -#if defined(HAVE_OPENLDAP) || defined(HAVE_LDAPSSL_CLIENT_INIT) +#if HAVE_OPENLDAP || HAVE_LDAPSSL_CLIENT_INIT int rc = 0; #endif -#ifdef HAVE_OPENLDAP +#if HAVE_OPENLDAP int val; -#elif defined(HAVE_LDAPSSL_CLIENT_INIT) +#elif HAVE_LDAPSSL_CLIENT_INIT char *ssl_certdbpath = NULL; #endif -#ifdef HAVE_OPENLDAP +#if HAVE_OPENLDAP if (!margs->rc_allow) { char *ssl_cacertfile = NULL; int free_path; @@ -522,7 +527,7 @@ ldap_set_ssl_defaults(struct main_args *margs) return rc; } } -#elif defined(HAVE_LDAPSSL_CLIENT_INIT) +#elif HAVE_LDAPSSL_CLIENT_INIT /* * Solaris SSL ldap calls require path to certificate database */ @@ -556,32 +561,26 @@ size_t get_attributes(LDAP * ld, LDAPMessage * res, const char *attribute, char ***ret_value) { - LDAPMessage *msg; - char **attr_value = NULL; + char **attr_value = *ret_value; size_t max_attr = 0; - attr_value = *ret_value; /* * loop over attributes */ debug((char *) "%s| %s: DEBUG: Search ldap entries for attribute : %s\n", LogTime(), PROGRAM, attribute); - for (msg = ldap_first_entry(ld, res); msg; msg = ldap_next_entry(ld, msg)) { - - BerElement *b; - char *attr; + for (LDAPMessage *msg = ldap_first_entry(ld, res); msg; msg = ldap_next_entry(ld, msg)) { switch (ldap_msgtype(msg)) { - case LDAP_RES_SEARCH_ENTRY: - - for (attr = ldap_first_attribute(ld, msg, &b); attr; + case LDAP_RES_SEARCH_ENTRY: { + BerElement *b = NULL; + for (char *attr = ldap_first_attribute(ld, msg, &b); attr; attr = ldap_next_attribute(ld, msg, b)) { if (strcasecmp(attr, attribute) == 0) { struct berval **values; - int il; if ((values = ldap_get_values_len(ld, msg, attr)) != NULL) { - for (il = 0; values[il] != NULL; ++il) { + for (int il = 0; values[il] != NULL; ++il) { attr_value = (char **) xrealloc(attr_value, (max_attr + 1) * sizeof(char *)); if (!attr_value) @@ -598,7 +597,73 @@ get_attributes(LDAP * ld, LDAPMessage * res, const char *attribute, char ***ret_ ldap_memfree(attr); } ber_free(b, 0); + } + break; + case LDAP_RES_SEARCH_REFERENCE: + debug((char *) "%s| %s: DEBUG: Received a search reference message\n", LogTime(), PROGRAM); + break; + case LDAP_RES_SEARCH_RESULT: + debug((char *) "%s| %s: DEBUG: Received a search result message\n", LogTime(), PROGRAM); + break; + default: break; + } + } + + debug((char *) "%s| %s: DEBUG: %" PRIuSIZE " ldap entr%s found with attribute : %s\n", LogTime(), PROGRAM, max_attr, max_attr > 1 || max_attr == 0 ? "ies" : "y", attribute); + + *ret_value = attr_value; + return max_attr; +} + +size_t +get_bin_attributes(LDAP * ld, LDAPMessage * res, const char *attribute, char ***ret_value, int **ret_len) +{ + + char **attr_value = *ret_value; + int *attr_len = *ret_len; + size_t max_attr = 0; + + /* + * loop over attributes + */ + debug((char *) "%s| %s: DEBUG: Search ldap entries for attribute : %s\n", LogTime(), PROGRAM, attribute); + for ( LDAPMessage *msg = ldap_first_entry(ld, res); msg; msg = ldap_next_entry(ld, msg)) { + + switch (ldap_msgtype(msg)) { + + case LDAP_RES_SEARCH_ENTRY: { + BerElement *b = NULL; + for (char *attr = ldap_first_attribute(ld, msg, &b); attr; + attr = ldap_next_attribute(ld, msg, b)) { + if (strcasecmp(attr, attribute) == 0) { + struct berval **values; + + if ((values = ldap_get_values_len(ld, msg, attr)) != NULL) { + for (int il = 0; values[il] != NULL; ++il) { + + attr_value = (char **) xrealloc(attr_value, (max_attr + 1) * sizeof(char *)); + if (!attr_value) + break; + + attr_len = (int *) xrealloc(attr_len, (max_attr + 1) * sizeof(int)); + if (!attr_len) + break; + + attr_value[max_attr] = (char *) xmalloc(values[il]->bv_len + 1); + memcpy(attr_value[max_attr], values[il]->bv_val, values[il]->bv_len); + attr_value[max_attr][values[il]->bv_len] = 0; + attr_len[max_attr]=values[il]->bv_len; + max_attr++; + } + } + ber_bvecfree(values); + } + ldap_memfree(attr); + } + ber_free(b, 0); + } + break; case LDAP_RES_SEARCH_REFERENCE: debug((char *) "%s| %s: DEBUG: Received a search reference message\n", LogTime(), PROGRAM); break; @@ -613,6 +678,7 @@ get_attributes(LDAP * ld, LDAPMessage * res, const char *attribute, char ***ret_ debug((char *) "%s| %s: DEBUG: %" PRIuSIZE " ldap entr%s found with attribute : %s\n", LogTime(), PROGRAM, max_attr, max_attr > 1 || max_attr == 0 ? "ies" : "y", attribute); *ret_value = attr_value; + *ret_len = attr_len; return max_attr; } @@ -623,7 +689,7 @@ LDAP * tool_ldap_open(struct main_args * margs, char *host, int port, char *ssl) { LDAP *ld; -#ifdef HAVE_OPENLDAP +#if HAVE_OPENLDAP LDAPURLDesc *url = NULL; char *ldapuri = NULL; #endif @@ -633,10 +699,10 @@ tool_ldap_open(struct main_args * margs, char *host, int port, char *ssl) * Use ldap open here to check if TCP connection is possible. If possible use it. * (Not sure if this is the best way) */ -#ifdef HAVE_OPENLDAP +#if HAVE_OPENLDAP url = (LDAPURLDesc *) xmalloc(sizeof(*url)); memset(url, 0, sizeof(*url)); -#ifdef HAVE_LDAP_URL_LUD_SCHEME +#if HAVE_LDAP_URL_LUD_SCHEME if (ssl) url->lud_scheme = xstrdup("ldaps"); else @@ -644,14 +710,14 @@ tool_ldap_open(struct main_args * margs, char *host, int port, char *ssl) #endif url->lud_host = xstrdup(host); url->lud_port = port; -#ifdef HAVE_LDAP_SCOPE_DEFAULT +#if HAVE_LDAP_SCOPE_DEFAULT url->lud_scope = LDAP_SCOPE_DEFAULT; #else url->lud_scope = LDAP_SCOPE_SUBTREE; #endif -#ifdef HAVE_LDAP_URL_DESC2STR +#if HAVE_LDAP_URL_DESC2STR ldapuri = ldap_url_desc2str(url); -#elif defined(HAVE_LDAP_URL_PARSE) +#elif HAVE_LDAP_URL_PARSE rc = ldap_url_parse(ldapuri, &url); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); @@ -693,7 +759,7 @@ tool_ldap_open(struct main_args * margs, char *host, int port, char *ssl) ld = NULL; return NULL; } -#ifdef HAVE_OPENLDAP +#if HAVE_OPENLDAP /* * Use tls if possible */ @@ -704,19 +770,19 @@ tool_ldap_open(struct main_args * margs, char *host, int port, char *ssl) ld = NULL; url = (LDAPURLDesc *) xmalloc(sizeof(*url)); memset(url, 0, sizeof(*url)); -#ifdef HAVE_LDAP_URL_LUD_SCHEME +#if HAVE_LDAP_URL_LUD_SCHEME url->lud_scheme = xstrdup("ldaps"); #endif url->lud_host = xstrdup(host); url->lud_port = port; -#ifdef HAVE_LDAP_SCOPE_DEFAULT +#if HAVE_LDAP_SCOPE_DEFAULT url->lud_scope = LDAP_SCOPE_DEFAULT; #else url->lud_scope = LDAP_SCOPE_SUBTREE; #endif -#ifdef HAVE_LDAP_URL_DESC2STR +#if HAVE_LDAP_URL_DESC2STR ldapuri = ldap_url_desc2str(url); -#elif defined(HAVE_LDAP_URL_PARSE) +#elif HAVE_LDAP_URL_PARSE rc = ldap_url_parse(ldapuri, &url); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); @@ -744,7 +810,7 @@ tool_ldap_open(struct main_args * margs, char *host, int port, char *ssl) return NULL; } } -#elif defined(HAVE_LDAPSSL_CLIENT_INIT) +#elif HAVE_LDAPSSL_CLIENT_INIT ld = ldapssl_init(host, port, 1); if (!ld) { error((char *) "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc)); @@ -774,13 +840,14 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) { LDAP *ld = NULL; LDAPMessage *res; -#ifndef HAVE_SUN_LDAP_SDK +#if !HAVE_SUN_LDAP_SDK int ldap_debug = 0; #endif struct ldap_creds *lcreds = NULL; char *bindp = NULL; char *filter = NULL; char *search_exp; + size_t se_len = 0; struct timeval searchtime; int rc = 0, kc = 1; int retval; @@ -798,7 +865,7 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) if (domain) { debug((char *) "%s| %s: DEBUG: Setup Kerberos credential cache\n", LogTime(), PROGRAM); -#ifdef HAVE_KRB5 +#if HAVE_KRB5 kc = krb5_create_cache(domain); if (kc) { error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM); @@ -809,14 +876,14 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) #endif } - if (kc && (!margs->lurl || !margs->luser | !margs->lpass)) { + if (kc && (!margs->lurl || !margs->luser || !margs->lpass)) { /* * If Kerberos fails and no url given exit here */ retval = 0; goto cleanup; } -#ifndef HAVE_SUN_LDAP_SDK +#if !HAVE_SUN_LDAP_SDK /* * Initialise ldap */ @@ -850,7 +917,7 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) * ldap bind with SASL/GSSAPI authentication (only possible if a domain was part of the username) */ -#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +#if HAVE_SASL_H || HAVE_SASL_SASL_H || HAVE_SASL_DARWIN debug((char *) "%s| %s: DEBUG: Bind to ldap server with SASL/GSSAPI\n", LogTime(), PROGRAM); rc = tool_sasl_bind(ld, bindp, margs->ssl); @@ -860,7 +927,7 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) ld = NULL; continue; } - lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds)); + lcreds = (struct ldap_creds *) xmalloc(sizeof(struct ldap_creds)); lcreds->dn = NULL; lcreds->pw = margs->ssl ? xstrdup(margs->ssl) : NULL; ldap_set_rebind_proc(ld, ldap_sasl_rebind, (char *) lcreds); @@ -925,7 +992,7 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) ld = NULL; continue; } - lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds)); + lcreds = (struct ldap_creds *) xmalloc(sizeof(struct ldap_creds)); lcreds->dn = xstrdup(margs->luser); lcreds->pw = xstrdup(margs->lpass); ldap_set_rebind_proc(ld, ldap_simple_rebind, (char *) lcreds); @@ -968,8 +1035,9 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) ldap_filter_esc = escape_filter(user); - search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); - snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); + se_len = strlen(filter) + strlen(ldap_filter_esc) + 1; + search_exp = (char *) xmalloc(se_len); + snprintf(search_exp, se_len, filter, ldap_filter_esc); xfree(ldap_filter_esc); @@ -1075,17 +1143,21 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) retval = 0; } - if (!margs->AD && retval == 0) { + if (retval == 0) { /* * Check for primary Group membership */ debug((char *) "%s| %s: DEBUG: Search for primary group membership: \"%s\"\n", LogTime(), PROGRAM, group); - filter = (char *) FILTER_UID; + if (margs->AD) + filter = (char *) FILTER_AD; + else + filter = (char *) FILTER_UID; ldap_filter_esc = escape_filter(user); - search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); - snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); + se_len = strlen(filter) + strlen(ldap_filter_esc) + 1; + search_exp = (char *) xmalloc(se_len); + snprintf(search_exp, se_len, filter, ldap_filter_esc); xfree(ldap_filter_esc); @@ -1097,29 +1169,107 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); - max_attr = get_attributes(ld, res, ATTRIBUTE_GID, &attr_value); + max_attr = 0; + if (!rc) { + if (margs->AD) + max_attr = get_attributes(ld, res, ATTRIBUTE_GID_AD, &attr_value); + else + max_attr = get_attributes(ld, res, ATTRIBUTE_GID, &attr_value); + } if (max_attr == 1) { char **attr_value_2 = NULL; size_t max_attr_2 = 0; - ldap_msgfree(res); - filter = (char *) FILTER_GID; + if (margs->AD) { + char **attr_value_3 = NULL; + int *attr_len_3 = NULL; + size_t max_attr_3 = 0; + uint32_t gid=atoi(attr_value[0]); + + /* Get objectsid and search for group + * with objectsid = domain(objectsid) + primarygroupid */ + debug((char *) "%s| %s: DEBUG: Got primaryGroupID %u\n", LogTime(), PROGRAM, gid); + max_attr_3 = get_bin_attributes(ld, res, ATTRIBUTE_SID, &attr_value_3, &attr_len_3); + ldap_msgfree(res); + if (max_attr_3 == 1) { + int len=attr_len_3[0]; + if (len < 4) { + debug((char *) "%s| %s: ERROR: Length %d is too short for objectSID\n", LogTime(), PROGRAM, len); + rc = 1; + } else { + char *se=NULL; + attr_value_3[0][len-1]=((gid>>24) & 0xff); + attr_value_3[0][len-2]=((gid>>16) & 0xff); + attr_value_3[0][len-3]=((gid>>8) & 0xff); + attr_value_3[0][len-4]=((gid>>0) & 0xff); + +#define FILTER_SID_1 "(objectSID=" +#define FILTER_SID_2 ")" + + se_len = strlen(FILTER_SID_1) + len*3 + strlen(FILTER_SID_2) + 1; + search_exp = (char *) xmalloc(se_len); + snprintf(search_exp, se_len, "%s", FILTER_SID_1 ); + + for (int j=0; j 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); - xfree(ldap_filter_esc); + } + } else { + rc = 1; + } + if (attr_value_3) { + size_t j; + for (j = 0; j < max_attr_3; ++j) { + xfree(attr_value_3[j]); + } + safe_free(attr_value_3); + } + if (attr_len_3) { + xfree(attr_len_3); + } + } else { + ldap_msgfree(res); + filter = (char *) FILTER_GID; + + ldap_filter_esc = escape_filter(attr_value[0]); + + se_len = strlen(filter) + strlen(ldap_filter_esc) + 1; + search_exp = (char *) xmalloc(se_len); + snprintf(search_exp, se_len, filter, ldap_filter_esc); - debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp); - rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, - search_exp, NULL, 0, - NULL, NULL, &searchtime, 0, &res); - xfree(search_exp); + xfree(ldap_filter_esc); - max_attr_2 = get_attributes(ld, res, ATTRIBUTE, &attr_value_2); + debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp); + rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, + search_exp, NULL, 0, + NULL, NULL, &searchtime, 0, &res); + xfree(search_exp); + } + + if (!rc) { + if (margs->AD) + max_attr_2 = get_attributes(ld, res, ATTRIBUTE_DN, &attr_value_2); + else + max_attr_2 = get_attributes(ld, res, ATTRIBUTE, &attr_value_2); + ldap_msgfree(res); + } else { + ldap_msgfree(res); + } /* * Compare group names */ @@ -1127,6 +1277,13 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) if (max_attr_2 == 1) { /* Compare first CN= value assuming it is the same as the group name itself */ char *av = attr_value_2[0]; + if (!strncasecmp("CN=", av, 3)) { + char *avp = NULL; + av += 3; + if ((avp = strchr(av, ','))) { + *avp = '\0'; + } + } if (!strcasecmp(group, av)) { retval = 1; debug((char *) "%s| %s: DEBUG: \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, av, group); @@ -1134,6 +1291,34 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) debug((char *) "%s| %s: DEBUG: \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, av, group); } + /* + * Do recursive group search for AD only since posixgroups can not contain other groups + */ + if (!retval && margs->AD) { + if (debug_enabled && max_attr_2 > 0) { + debug((char *) "%s| %s: DEBUG: Perform recursive group search\n", LogTime(), PROGRAM); + } + for (size_t j = 0; j < max_attr_2; ++j) { + char *av = NULL; + + av = attr_value_2[j]; + if (search_group_tree(margs, ld, bindp, av, group, 1)) { + retval = 1; + if (!strncasecmp("CN=", av, 3)) { + char *avp = NULL; + av += 3; + if ((avp = strchr(av, ','))) { + *avp = '\0'; + } + } + if (debug_enabled) { + debug((char *) "%s| %s: DEBUG: Entry %" PRIuSIZE " group \"%s\" is (in)direct member of group \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); + } else { + break; + } + } + } + } /* * Cleanup */ @@ -1144,7 +1329,6 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) } safe_free(attr_value_2); } - ldap_msgfree(res); debug((char *) "%s| %s: DEBUG: Users primary group %s %s\n", LogTime(), PROGRAM, retval ? "matches" : "does not match", group); @@ -1169,7 +1353,7 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) } debug((char *) "%s| %s: DEBUG: Unbind ldap server\n", LogTime(), PROGRAM); cleanup: -#ifdef HAVE_KRB5 +#if HAVE_KRB5 if (domain) krb5_cleanup(); #endif diff --git a/helpers/external_acl/kerberos_ldap_group/support_log.cc b/helpers/external_acl/kerberos_ldap_group/support_log.cc index f63ae400f3..bc6074904f 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_log.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_log.cc @@ -24,7 +24,7 @@ #include "squid.h" -#ifdef HAVE_LDAP +#if HAVE_LDAP #include "support.h" #include diff --git a/helpers/external_acl/kerberos_ldap_group/support_lserver.cc b/helpers/external_acl/kerberos_ldap_group/support_lserver.cc index 29e2932595..7ae6077d39 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_lserver.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_lserver.cc @@ -25,7 +25,7 @@ #include "squid.h" #include "util.h" -#ifdef HAVE_LDAP +#if HAVE_LDAP #include "support.h" struct lsstruct *init_ls(void); diff --git a/helpers/external_acl/kerberos_ldap_group/support_member.cc b/helpers/external_acl/kerberos_ldap_group/support_member.cc index cbd0ca9cc8..47687d8e78 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_member.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_member.cc @@ -25,7 +25,7 @@ #include "squid.h" #include "util.h" -#ifdef HAVE_LDAP +#if HAVE_LDAP #include "support.h" diff --git a/helpers/external_acl/kerberos_ldap_group/support_netbios.cc b/helpers/external_acl/kerberos_ldap_group/support_netbios.cc index 86b5eb3d0e..5254d4ee6f 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_netbios.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_netbios.cc @@ -25,7 +25,7 @@ #include "squid.h" #include "util.h" -#ifdef HAVE_LDAP +#if HAVE_LDAP #include "support.h" diff --git a/helpers/external_acl/kerberos_ldap_group/support_resolv.cc b/helpers/external_acl/kerberos_ldap_group/support_resolv.cc index 93e1d49981..47f7908776 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_resolv.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_resolv.cc @@ -25,20 +25,20 @@ #include "squid.h" #include "util.h" -#ifdef HAVE_LDAP +#if HAVE_LDAP #include "support.h" #include -#ifdef HAVE_NETDB_H +#if HAVE_NETDB_H #include #endif -#ifdef HAVE_NETINET_IN_H +#if HAVE_NETINET_IN_H #include #endif -#ifdef HAVE_RESOLV_H +#if HAVE_RESOLV_H #include #endif -#ifdef HAVE_ARPA_NAMESER_H +#if HAVE_ARPA_NAMESER_H #include #endif diff --git a/helpers/external_acl/kerberos_ldap_group/support_sasl.cc b/helpers/external_acl/kerberos_ldap_group/support_sasl.cc index a3ca2fffcc..12f31d01da 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_sasl.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_sasl.cc @@ -25,15 +25,15 @@ #include "squid.h" #include "util.h" -#ifdef HAVE_LDAP +#if HAVE_LDAP #include "support.h" -#ifdef HAVE_SASL_H +#if HAVE_SASL_H #include -#elif defined(HAVE_SASL_SASL_H) +#elif HAVE_SASL_SASL_H #include -#elif defined(HAVE_SASL_DARWIN) +#elif HAVE_SASL_DARWIN typedef struct sasl_interact { unsigned long id; /* same as client/user callback ID */ const char *challenge; /* presented to user (e.g. OTP challenge) */ @@ -52,7 +52,7 @@ typedef struct sasl_interact { #define SASL_CB_LIST_END 0 /* end of list */ #endif -#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +#if HAVE_SASL_H || HAVE_SASL_SASL_H || HAVE_SASL_DARWIN void *lutil_sasl_defaults( LDAP * ld, char *mech, @@ -216,7 +216,7 @@ tool_sasl_bind(LDAP * ld, char *binddn, char *ssl) /* * Avoid SASL messages */ -#ifdef HAVE_SUN_LDAP_SDK +#if HAVE_SUN_LDAP_SDK unsigned sasl_flags = LDAP_SASL_INTERACTIVE; #else unsigned sasl_flags = LDAP_SASL_QUIET; diff --git a/helpers/negotiate_auth/kerberos/negotiate_kerberos.h b/helpers/negotiate_auth/kerberos/negotiate_kerberos.h index 0ecac334d6..e18318b814 100644 --- a/helpers/negotiate_auth/kerberos/negotiate_kerberos.h +++ b/helpers/negotiate_auth/kerberos/negotiate_kerberos.h @@ -58,13 +58,25 @@ extern "C" { #endif #endif /* HAVE_KRB5_H */ +#if USE_HEIMDAL_KRB5 +#if HAVE_GSSAPI_GSSAPI_H +#include +#elif HAVE_GSSAPI_H +#include +#endif +#if HAVE_GSSAPI_GSSAPI_KRB5_H +#include +#endif +#elif USE_GNUGSS +#if HAVE_GSS_H +#include +#endif +#else #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H #include #endif - -#if !HAVE_HEIMDAL_KERBEROS #if HAVE_GSSAPI_GSSAPI_KRB5_H #include #endif @@ -74,10 +86,6 @@ extern "C" { #if HAVE_GSSAPI_GSSAPI_EXT_H #include #endif -#else -#if HAVE_GSSAPI_GSSAPI_KRB5_H -#include -#endif #endif #ifndef gss_nt_service_name @@ -119,7 +127,7 @@ int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, char *gethost_name(void); -#if (defined(HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT) || defined(HAVE_GSS_MAP_NAME_TO_ANY)) && HAVE_KRB5_PAC +#if (HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT || HAVE_GSS_MAP_NAME_TO_ANY) && HAVE_KRB5_PAC #define HAVE_PAC_SUPPORT 1 #define MAX_PAC_GROUP_SIZE 200*60 typedef struct { diff --git a/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc b/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc index d9fea871f2..8621281b45 100644 --- a/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc +++ b/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc @@ -149,7 +149,7 @@ main(int argc, char *const argv[]) krb5_context context = NULL; krb5_error_code ret; krb5_pac pac; -#if HAVE_HEIMDAL_KERBEROS +#if USE_HEIMDAL_KRB5 gss_buffer_desc data_set = GSS_C_EMPTY_BUFFER; #else gss_buffer_desc type_id = GSS_C_EMPTY_BUFFER; @@ -396,7 +396,7 @@ main(int argc, char *const argv[]) #if HAVE_PAC_SUPPORT ret = krb5_init_context(&context); if (!check_k5_err(context, "krb5_init_context", ret)) { -#if HAVE_HEIMDAL_KERBEROS +#if USE_HEIMDAL_KRB5 #define ADWIN2KPAC 128 major_status = gsskrb5_extract_authz_data_from_sec_context(&minor_status, gss_context, ADWIN2KPAC, &data_set); diff --git a/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc b/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc index f5d358e2db..4208b0fb75 100644 --- a/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc +++ b/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc @@ -42,13 +42,22 @@ #include "base64.h" #include "util.h" +#if USE_HEIMDAL_KRB5 +#if HAVE_GSSAPI_GSSAPI_H +#include +#elif HAVE_GSSAPI_H +#include +#endif +#elif USE_GNUGSS +#if HAVE_GSS_H +#include +#endif +#else #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H #include #endif - -#if !HAVE_HEIMDAL_KERBEROS #if HAVE_GSSAPI_GSSAPI_KRB5_H #include #endif diff --git a/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc b/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc index 29382a9cd5..5e4ce62b08 100644 --- a/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc +++ b/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc @@ -355,7 +355,7 @@ get_ad_groups(char *ad_groups, krb5_context context, krb5_pac pac) char **Rids=NULL; int l=0; - ad_data = (krb5_data *)xmalloc(sizeof(krb5_data)); + ad_data = (krb5_data *)xcalloc(1,sizeof(krb5_data)); #define KERB_LOGON_INFO 1 ret = krb5_pac_get_buffer(context, pac, KERB_LOGON_INFO, ad_data); diff --git a/helpers/negotiate_auth/kerberos/required.m4 b/helpers/negotiate_auth/kerberos/required.m4 index 3191a8ea1c..b8bc9d8a52 100755 --- a/helpers/negotiate_auth/kerberos/required.m4 +++ b/helpers/negotiate_auth/kerberos/required.m4 @@ -1,2 +1,3 @@ -# FIXME: use other kerberos library checks from main configure.ac -AC_CHECK_HEADERS([gssapi/gssapi.h gssapi.h kerberosV/gssapi.h],[BUILD_HELPER="kerberos"]) +if test "x$with_krb5" == "xyes"; then + BUILD_HELPER="kerberos" +fi diff --git a/src/peer_proxy_negotiate_auth.cc b/src/peer_proxy_negotiate_auth.cc index 0098581a7c..e895158feb 100644 --- a/src/peer_proxy_negotiate_auth.cc +++ b/src/peer_proxy_negotiate_auth.cc @@ -61,6 +61,7 @@ extern "C" { #elif HAVE_GSSAPI_H #include #endif /* HAVE_GSSAPI_H */ +#if !USE_HEIMDAL_KRB5 #if HAVE_GSSAPI_GSSAPI_EXT_H #include #endif /* HAVE_GSSAPI_GSSAPI_EXT_H */ @@ -70,15 +71,16 @@ extern "C" { #if HAVE_GSSAPI_GSSAPI_GENERIC_H #include #endif /* HAVE_GSSAPI_GSSAPI_GENERIC_H */ +#endif /* !USE_HEIMDAL_KRB5 */ #ifndef gss_nt_service_name #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE #endif -#if !HAVE_ERROR_MESSAGE && HAVE_KRB5_GET_ERR_TEXT -#define error_message(code) krb5_get_err_text(kparam.context,code) -#elif !HAVE_ERROR_MESSAGE && HAVE_KRB5_GET_ERROR_MESSAGE +#if !HAVE_ERROR_MESSAGE && HAVE_KRB5_GET_ERR_MESSAGE #define error_message(code) krb5_get_error_message(kparam.context,code) +#elif !HAVE_ERROR_MESSAGE && HAVE_KRB5_GET_ERROR_TEXT +#define error_message(code) krb5_get_err_text(kparam.context,code) #elif !HAVE_ERROR_MESSAGE static char err_code[17]; const char *KRB5_CALLCONV @@ -94,7 +96,7 @@ extern "C" { gss_OID gss_mech_spnego = &_gss_mech_spnego; #endif -#if HAVE_NAS_KERBEROS +#if USE_IBM_KERBEROS #include const char *KRB5_CALLCONV error_message(long code) { char *msg = NULL; @@ -210,7 +212,7 @@ extern "C" { static krb5_keytab_entry entry; static krb5_kt_cursor cursor; static krb5_creds *creds = NULL; -#if HAVE_HEIMDAL_KERBEROS && !HAVE_KRB5_GET_RENEWED_CREDS +#if USE_HEIMDAL_KRB5 && !HAVE_KRB5_GET_RENEWED_CREDS static krb5_creds creds2; #endif static krb5_principal principal = NULL; @@ -226,7 +228,7 @@ extern "C" { #if HAVE_PROFILE_H && HAVE_KRB5_GET_PROFILE && HAVE_PROFILE_GET_INTEGER && HAVE_PROFILE_RELEASE profile_t profile; #endif -#if HAVE_HEIMDAL_KERBEROS && !HAVE_KRB5_GET_RENEWED_CREDS +#if USE_HEIMDAL_KRB5 && !HAVE_KRB5_GET_RENEWED_CREDS krb5_kdc_flags flags; #if HAVE_KRB5_PRINCIPAL_GET_REALM const char *client_realm; @@ -329,9 +331,9 @@ restart: error_message(code)); return (1); } -#elif HAVE_KRB5_GET_MAX_TIME_SKEW && HAVE_HEIMDAL_KERBEROS +#elif USE_HEIMDAL_KRB5 && HAVE_KRB5_GET_MAX_TIME_SKEW skew = krb5_get_max_time_skew(kparam.context); -#elif HAVE_MAX_SKEW_IN_KRB5_CONTEXT && HAVE_HEIMDAL_KERBEROS +#elif USE_HEIMDAL_KRB5 && HAVE_MAX_SKEW_IN_KRB5_CONTEXT skew = kparam.context->max_skew; #else skew = DEFAULT_SKEW; @@ -384,7 +386,7 @@ restart: error_message(code)); return (1); } -#if HAVE_HEIMDAL_KERBEROS || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY) +#if USE_HEIMDAL_KRB5 || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY) code = krb5_kt_free_entry(kparam.context, &entry); #else code = krb5_free_keytab_entry_contents(kparam.context, &entry); diff --git a/tools/squidclient/gssapi_support.h b/tools/squidclient/gssapi_support.h index 5b43922d79..f4b9135c5b 100644 --- a/tools/squidclient/gssapi_support.h +++ b/tools/squidclient/gssapi_support.h @@ -3,13 +3,23 @@ #if HAVE_GSSAPI + +#if USE_HEIMDAL_KRB5 +#if HAVE_GSSAPI_GSSAPI_H +#include +#elif HAVE_GSSAPI_H +#include +#endif /* HAVE_GSSAPI_GSSAPI_H/HAVE_GSSAPI_H */ +#elif USE_GNUGSS +#if HAVE_GSS_H +#include +#endif +#else #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H #include #endif /* HAVE_GSSAPI_GSSAPI_H/HAVE_GSSAPI_H */ - -#if !HAVE_HEIMDAL_KERBEROS #if HAVE_GSSAPI_GSSAPI_KRB5_H #include #endif