])
])
+dnl check for PAC requirements
+AC_DEFUN([SQUID_CHECK_KRB5_PAC_SUPPORT],[
+ AC_CHECK_TYPE(krb5_pac,[
+ AC_CHECK_FUNC(gss_map_name_to_any)
+ AC_CHECK_FUNC(gsskrb5_extract_authz_data_from_sec_context)
+ AS_IF([test "x$ac_cv_func_gss_map_name_to_any" = "xyes" -o "x$ac_cv_func_gsskrb5_extract_authz_data_from_sec_context" = "xyes"],[
+ AC_DEFINE(HAVE_KRB5_PAC_SUPPORT,1,[Define to 1 if kerberos has PAC support])
+ ])
+ ],,[#include <krb5.h>])
+])
dnl checks that gssapi is ok, and sets squid_cv_working_gssapi accordingly
AC_DEFUN([SQUID_CHECK_WORKING_GSSAPI], [
return 0;
}
]])], [ squid_cv_working_gssapi=yes ], [ squid_cv_working_gssapi=no ], [:])])
- AS_IF([test "x$squid_cv_working_gssapi" = "xno" -a `echo $LIBS | grep -i -c "(-)L"` -gt 0],[
+ AS_IF([test "x$squid_cv_working_gssapi" = "xyes"],[SQUID_CHECK_KRB5_PAC_SUPPORT],
+ [test "x$squid_cv_working_gssapi" = "xno" -a `echo $LIBS | grep -i -c "(-)L"` -gt 0],[
AC_MSG_NOTICE([Check Runtime library path !])
])
])
AC_DEFINE(HAVE_KRB5_FREE_ERROR_STRING,1,
[Define to 1 if you have krb5_free_error_string]),)
AC_CHECK_DECLS(krb5_kt_free_entry,,,[#include <krb5.h>])
- AC_CHECK_TYPE(krb5_pac,
- AC_DEFINE(HAVE_KRB5_PAC,1,
- [Define to 1 if you have krb5_pac]),,
- [#include <krb5.h>])
AC_CHECK_LIB(krb5,krb5_kt_free_entry,
AC_DEFINE(HAVE_KRB5_KT_FREE_ENTRY,1,
[Define to 1 if you have krb5_kt_free_entry]),)
],[AC_MSG_RESULT(no)],[AC_MSG_RESULT(no)])
SQUID_STATE_ROLLBACK(squid_krb5_test)
- AC_CHECK_FUNCS(gss_map_name_to_any,
- AC_DEFINE(HAVE_GSS_MAP_ANY_TO_ANY,1,
- [Define to 1 if you have gss_map_name_to_any]),)
- AC_CHECK_FUNCS(gsskrb5_extract_authz_data_from_sec_context,
- AC_DEFINE(HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT,1,
- [Define to 1 if you have gsskrb5_extract_authz_data_from_sec_context]),)
-
SQUID_CHECK_KRB5_CONTEXT_MEMORY_CACHE
SQUID_DEFINE_BOOL(HAVE_KRB5_MEMORY_CACHE,$squid_cv_memory_cache,
[Define if kerberos has MEMORY: cache support])
char *gethost_name(void);
-#if (HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT || HAVE_GSS_MAP_NAME_TO_ANY) && HAVE_KRB5_PAC
-#define HAVE_PAC_SUPPORT 1
-
+#if HAVE_KRB5_PAC_SUPPORT
/**
* MAX_PAC_GROUP_SIZE limits the string length, wherein group membership per
* authenticated user is reported back to Squid, to a reasonable number
char *xstrcat( char *src, const char*dst);
int checkustr(RPC_UNICODE_STRING *string);
char *get_ad_groups(char *ad_groups, krb5_context context, krb5_pac pac);
-#else
-#define HAVE_PAC_SUPPORT 0
-#endif
+#endif /* HAVE_KRB5_PAC_SUPPORT */
+
int check_k5_err(krb5_context context, const char *msg, krb5_error_code code);
#endif /* SQUID_SRC_AUTH_NEGOTIATE_KERBEROS_NEGOTIATE_KERBEROS_H */
char *c, *p;
char *user = nullptr;
char *rfc_user = nullptr;
-#if HAVE_PAC_SUPPORT
+#if HAVE_KRB5_PAC_SUPPORT
char ad_groups[MAX_PAC_GROUP_SIZE];
char *ag=nullptr;
krb5_pac pac;
#else
gss_buffer_desc type_id = GSS_C_EMPTY_BUFFER;
#endif
-#endif
+#endif /* HAVE_KRB5_PAC_SUPPORT */
krb5_context context = nullptr;
krb5_error_code ret;
long length = 0;
*p = '\0';
}
-#if HAVE_PAC_SUPPORT
+#if HAVE_KRB5_PAC_SUPPORT
ret = krb5_init_context(&context);
if (!check_k5_err(context, "krb5_init_context", ret)) {
#if HAVE_LIBHEIMDAL_KRB5
if (ag) {
debug((char *) "%s| %s: DEBUG: Groups %s\n", LogTime(), PROGRAM, ag);
}
-#endif
+#endif /* HAVE_KRB5_PAC_SUPPORT */
+
rfc_user = rfc1738_escape(user);
-#if HAVE_PAC_SUPPORT
+#if HAVE_KRB5_PAC_SUPPORT
fprintf(stdout, "OK token=%s user=%s %s\n", token, rfc_user, ag?ag:"group=");
#else
fprintf(stdout, "OK token=%s user=%s\n", token, rfc_user);
-#endif
+#endif /* HAVE_KRB5_PAC_SUPPORT */
+
debug((char *) "%s| %s: DEBUG: OK token=%s user=%s\n", LogTime(), PROGRAM, token, rfc_user);
if (log)
fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
*p = '\0';
}
rfc_user = rfc1738_escape(user);
-#if HAVE_PAC_SUPPORT
+#if HAVE_KRB5_PAC_SUPPORT
fprintf(stdout, "OK token=%s user=%s %s\n", "AA==", rfc_user, ag?ag:"group=");
#else
fprintf(stdout, "OK token=%s user=%s\n", "AA==", rfc_user);
-#endif
+#endif /* HAVE_KRB5_PAC_SUPPORT */
debug((char *) "%s| %s: DEBUG: OK token=%s user=%s\n", LogTime(), PROGRAM, "AA==", rfc_user);
if (log)
fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
#include "negotiate_kerberos.h"
-#if HAVE_GSSAPI && HAVE_PAC_SUPPORT
+#if HAVE_GSSAPI && HAVE_KRB5_PAC_SUPPORT
#define LOGON_EXTRA_SIDS 0x0020
#define LOGON_RESOURCE_GROUPS 0x0200
krb5_free_data(context, ad_data);
return nullptr;
}
-#endif
+#endif /* HAVE_GSSAPI && HAVE_KRB5_PAC_SUPPORT */
projects / thirdparty / squid.git / commitdiff
