From dceda1b67dbc7583c145855b7ea74c1f44879985 Mon Sep 17 00:00:00 2001
From: serassio <>
Date: Wed, 20 Feb 2008 03:14:49 +0000
Subject: [PATCH] Author: Klaubert Herr <klaubert@gmail.com> Patch to strip
 kerberos realm from username

This patch add a new option to squid_ldap_group to strip kerberos realm from
username received from squid.
This is useful when you make kerberos authentication on squid, and try to
authorize the user using ldap in MS Active Directory, quering for
sAMAccountName.
---
 helpers/external_acl/ldap_group/squid_ldap_group.8 |  4 ++++
 helpers/external_acl/ldap_group/squid_ldap_group.c | 13 ++++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/helpers/external_acl/ldap_group/squid_ldap_group.8 b/helpers/external_acl/ldap_group/squid_ldap_group.8
index 543285ad87..a15fc8cc4d 100644
--- a/helpers/external_acl/ldap_group/squid_ldap_group.8
+++ b/helpers/external_acl/ldap_group/squid_ldap_group.8
@@ -152,6 +152,10 @@ Specify time limit on LDAP search operations
 Strip NT domain name component from user names (/ or \\ separated)
 .
 .TP
+.BI -K
+Strip Kerberos Realm component from user names (@ separated)
+.
+.TP
 .BI -d
 Debug mode where each step taken will get reported in detail.
 Useful for understanding what goes wrong if the results is
diff --git a/helpers/external_acl/ldap_group/squid_ldap_group.c b/helpers/external_acl/ldap_group/squid_ldap_group.c
index 11e90d6c61..938053fdfb 100644
--- a/helpers/external_acl/ldap_group/squid_ldap_group.c
+++ b/helpers/external_acl/ldap_group/squid_ldap_group.c
@@ -217,6 +217,7 @@ main(int argc, char **argv)
     int port = LDAP_PORT;
     int use_extension_dn = 0;
     int strip_nt_domain = 0;
+    int strip_kerberos_realm = 0;
     int err = 0;
 
     setbuf(stdout, NULL);
@@ -372,6 +373,9 @@ main(int argc, char **argv)
 	case 'S':
 	    strip_nt_domain = 1;
 	    break;
+	case 'K':
+	    strip_kerberos_realm = 1;
+	    break;
 	default:
 	    fprintf(stderr, PROGRAM_NAME " ERROR: Unknown command line option '%c'\n", option);
 	    exit(1);
@@ -426,6 +430,7 @@ main(int argc, char **argv)
 #endif
 	fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n");
 	fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n");
+	fprintf(stderr, "\t-K\t\t\tStrip Kerberos realm from usernames\n");
 	fprintf(stderr, "\n");
 	fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
 	exit(1);
@@ -471,6 +476,12 @@ main(int argc, char **argv)
 	    if (u && u[1])
 		user = u + 1;
 	}
+	if (strip_kerberos_realm) {
+	    char *u = strchr(user, '@');
+	    if (u != NULL) {
+		*u = '\0';
+	    }
+	}
 	if (use_extension_dn) {
 	    extension_dn = strtok(NULL, " \n");
 	    if (!extension_dn) {
@@ -785,7 +796,7 @@ searchLDAP(LDAP * ld, char *group, char *login, char *extension_dn)
 }
 
 
-int 
+int
 readSecret(const char *filename)
 {
     char buf[BUFSIZ];
-- 
2.47.2