[OpenAFS] PTS lookup via LDAP or apache2

Matthew Loar mloar2@uiuc.edu
Mon, 4 Sep 2006 05:56:50 -0500


This is a multi-part message in MIME format.

------=_NextPart_000_007E_01C6CFE6.EA631EB0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_001_007F_01C6CFE6.EA631EB0"


------=_NextPart_001_007F_01C6CFE6.EA631EB0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Chris Huebsch <chris.huebsch@informatik.tu-chemnitz.de> wrote:
> > On Mon, 4 Sep 2006, Chris Huebsch wrote:
> >> Some time ago, I wrote a pam module called pam_afs_groups and an 
> >> Apache module mod_auth_afs_group (with the help of Thomas Mueller).
> >
> > Perhaps I should explain the usage of both modules...
> 

I have made some modifications to the apache module which I have
attached in a patch.

I have added an option AuthAFSGROUP_StripRealm which will strip off @
and anything that follows it.  Note that I have not thoroughly thought
through the security ramifications of this.  It defaults to off.

I have changed all references to HTTP_UNAUTHORIZED to HTTP_FORBIDDEN.
Despite the name, HTTP_UNAUTHORIZED is not what we want.  It really
should be HTTP_UNAUTHENTICATED, because it basically says to the browser
"i require a username and password/the username and password you sent
are invalid."  Since the client HAS authenticated by the time the
request reaches this module, this is bad.  In cases where the
authentication mechanism is not username/password (i.e. SPNEGO), this
causes smarter browsers (IE) to display an error message, whereas stupid
browsers (Firefox) keep sending the same ticket back to the server over
and over again.

Note that this patch contains some formatting fixes.  I would have
edited them out of the patch, but decided to sleep instead.

Matt Loar

------=_NextPart_001_007F_01C6CFE6.EA631EB0
Content-Type: text/plain;
	name="mod_auth_afs_group.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="mod_auth_afs_group.patch"

--- mod_auth_afs_group.c	2004-10-17 15:47:19.000000000 -0500=0A=
+++ mod_auth_afs_group.c	2006-09-04 05:22:40.897849405 -0500=0A=
@@ -109,27 +109,28 @@=0A=
 =0A=
 typedef struct {=0A=
   int=0A=
-    validate, 	/* HTTP_UNAUTHORIZED if we=0A=
-		   can't find the group. =0A=
-		   (default to 0) */=0A=
+    validate, 	/* HTTP_FORBIDDEN if we=0A=
+                   can't find the group. =0A=
+                   (default to 0) */=0A=
+    strip, /* strip Kerberos realm? (default to 0) */=0A=
     enabled;	/* 1 to use mod_auth_afs_group, 0 otherwise=0A=
-	   	  (defaults to 1) */=0A=
+                 (defaults to 1) */=0A=
 } auth_afs_group_dir_config;=0A=
 =0A=
 static=0A=
 int auth_afs_group_init(=0A=
-	apr_pool_t *p,=0A=
-	apr_pool_t *plog,=0A=
-	apr_pool_t *ptemp,=0A=
-	server_rec *s=0A=
-)=0A=
+    apr_pool_t *p,=0A=
+    apr_pool_t *plog,=0A=
+    apr_pool_t *ptemp,=0A=
+    server_rec *s=0A=
+    )=0A=
 {=0A=
   ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,"GROUP: =
mod_auth_afs_group/" VERSION);=0A=
 =0A=
   return OK;=0A=
 }=0A=
 =0A=
-static=0A=
+  static=0A=
 void* create_auth_afs_group_dir_config(apr_pool_t *p, char *dummy)=0A=
 {=0A=
   auth_afs_group_dir_config *new =3D=0A=
@@ -137,24 +138,32 @@=0A=
 =0A=
   new->validate	      =3D 0; /* off */=0A=
   new->enabled	      =3D 1; /* on */=0A=
+  new->strip  	      =3D 0; /* off */=0A=
   return new;=0A=
 }=0A=
 =0A=
 static command_rec auth_afs_group_cmds[] =3D {=0A=
 =0A=
   AP_INIT_FLAG("AuthAFSGROUP_ValidateGroups", =0A=
-	ap_set_flag_slot, =0A=
-     (void *)APR_OFFSETOF(auth_afs_group_dir_config, validate), =0A=
-	OR_AUTHCFG,=0A=
-    "on|off - determines if existence of AFS-Groups is checked;"=0A=
-    "(default is off.)"),=0A=
+      ap_set_flag_slot, =0A=
+      (void *)APR_OFFSETOF(auth_afs_group_dir_config, validate), =0A=
+      OR_AUTHCFG,=0A=
+      "on|off - determines if existence of AFS-Groups is checked;"=0A=
+      "(default is off.)"),=0A=
+=0A=
+  AP_INIT_FLAG("AuthAFSGROUP_StripRealm", =0A=
+      ap_set_flag_slot, =0A=
+      (void *)APR_OFFSETOF(auth_afs_group_dir_config, strip), =0A=
+      OR_AUTHCFG,=0A=
+      "on|off - determines if Kerberos realm is stripped from username =
before lookup;"=0A=
+      "(default is off.)"),=0A=
 =0A=
   AP_INIT_FLAG("AuthAFSGROUP_Enabled", =0A=
-	ap_set_flag_slot, =0A=
-     (void *)APR_OFFSETOF(auth_afs_group_dir_config, enabled), =0A=
-	OR_AUTHCFG,=0A=
-    "on|off - determines if AFS-GROUP authentication is enabled; ("=0A=
-    "default is on.)" ),=0A=
+      ap_set_flag_slot, =0A=
+      (void *)APR_OFFSETOF(auth_afs_group_dir_config, enabled), =0A=
+      OR_AUTHCFG,=0A=
+      "on|off - determines if AFS-GROUP authentication is enabled; ("=0A=
+      "default is on.)" ),=0A=
 =0A=
   { NULL }=0A=
 };=0A=
@@ -172,16 +181,17 @@=0A=
 =0A=
 =0A=
 =0A=
-static=0A=
+  static=0A=
 int afs_group_check_auth (request_rec *r)=0A=
 {=0A=
   register int i =3D 0;=0A=
   int sumflag =3D 0, method_restricted =3D 0, code =3D 0;=0A=
   char *line =3D 0;=0A=
+  char *realmdelim =3D 0;=0A=
   auth_afs_group_dir_config *conf =3D =0A=
-	(auth_afs_group_dir_config*) ap_get_module_config(=0A=
-		r->per_dir_config, &auth_afs_group_module);=0A=
-  =0A=
+    (auth_afs_group_dir_config*) ap_get_module_config(=0A=
+                                                      =
r->per_dir_config, &auth_afs_group_module);=0A=
+=0A=
   /* check for allowed users/group */=0A=
   const apr_array_header_t *reqs_arr =3D ap_requires (r);=0A=
   require_line *reqs =3D 0;=0A=
@@ -190,9 +200,22 @@=0A=
   if (!conf->enabled)=0A=
     return DECLINED;=0A=
 =0A=
+  if(conf->strip)=0A=
+  {=0A=
+    realmdelim =3D strchr(r->user, '@');=0A=
+    if(realmdelim)=0A=
+    {=0A=
+      realmdelim[0] =3D '\0';=0A=
+    }=0A=
+  }=0A=
+=0A=
   /* if any valid user suffices return success */=0A=
   if (!reqs_arr)=0A=
+  {=0A=
+    if(realmdelim)=0A=
+      realmdelim[0] =3D '@';=0A=
     return (OK);=0A=
+  }=0A=
 =0A=
   /* otherwise */=0A=
   reqs =3D (require_line*)reqs_arr->elts;=0A=
@@ -201,7 +224,10 @@=0A=
 =0A=
   if (code) {=0A=
     ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "AFS-GROUP: No =
connection to PT-Server.");=0A=
-    return HTTP_UNAUTHORIZED;=0A=
+=0A=
+    if(realmdelim)=0A=
+      realmdelim[0] =3D '@';=0A=
+    return HTTP_INTERNAL_SERVER_ERROR;=0A=
   }=0A=
   /*  loop over requirement lines */=0A=
   for( i =3D 0; i < reqs_arr->nelts; i++) {=0A=
@@ -215,47 +241,53 @@=0A=
 =0A=
       if(!strcmp(type, "afsgroup") && (r->user)) {=0A=
 =0A=
-	while (*line) {=0A=
-	  char* groupname =3D ap_getword_conf(r->pool, (const char**)&line);=0A=
+        while (*line) {=0A=
+          char* groupname =3D ap_getword_conf(r->pool, (const =
char**)&line);=0A=
           code =3D pr_IsAMemberOf (r->user, groupname, &flag);=0A=
-  ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "testing %s %s", r->user, =
groupname);=0A=
-	   =0A=
+          ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "testing %s %s", =
r->user, groupname);=0A=
+=0A=
           switch(code) {=0A=
             case 0:  sumflag =3D sumflag || flag; break;=0A=
             case PRBADARG: =0A=
-              ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "AFS-GROUP: No =
such group %s.", groupname);=0A=
-              if (conf->validate) {=0A=
-                 return HTTP_UNAUTHORIZED;=0A=
-              }=0A=
-              break; =0A=
+                     ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, =
"AFS-GROUP: No such group %s.", groupname);=0A=
+                     if (conf->validate) {=0A=
+                       if(realmdelim)=0A=
+                         realmdelim[0] =3D '@';=0A=
+                       return HTTP_FORBIDDEN;=0A=
+                     }=0A=
+                     break; =0A=
             default: =0A=
-              ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "AFS-GROUP: =
Generic error %d.", code);=0A=
-              break;=0A=
+                     ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, =
"AFS-GROUP: Generic error %d.", code);=0A=
+                     break;=0A=
           }=0A=
-	}=0A=
+        }=0A=
       } /* end if group */=0A=
     } /* method mask */=0A=
   }=0A=
 =0A=
   pr_End();=0A=
 =0A=
-  ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "In the end %d", sumflag);=0A=
+  ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "In the end %d", =
sumflag);=0A=
+=0A=
+  if(realmdelim)=0A=
+    realmdelim[0] =3D '@';=0A=
+=0A=
   if (!method_restricted)=0A=
     return OK;=0A=
 =0A=
   if (sumflag)=0A=
     return OK;=0A=
 =0A=
-  ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "AFS-GROUP: %s not in =
required group(s).",r->user);=0A=
+  ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "AFS-GROUP: %s not in =
required group(s).",r->user);=0A=
 =0A=
   ap_note_basic_auth_failure (r);=0A=
-  return HTTP_UNAUTHORIZED;=0A=
+  return HTTP_FORBIDDEN;=0A=
 }=0A=
 =0A=
 static void afs_group_register_hooks(apr_pool_t *p)=0A=
 {  =0A=
-    ap_hook_post_config(auth_afs_group_init, NULL, NULL, =
APR_HOOK_MIDDLE);=0A=
-    =
ap_hook_auth_checker(afs_group_check_auth,NULL,NULL,APR_HOOK_MIDDLE);=0A=
+  ap_hook_post_config(auth_afs_group_init, NULL, NULL, APR_HOOK_MIDDLE);=0A=
+  ap_hook_auth_checker(afs_group_check_auth,NULL,NULL,APR_HOOK_MIDDLE);=0A=
 =0A=
 }   =0A=
 =0A=

------=_NextPart_001_007F_01C6CFE6.EA631EB0--

------=_NextPart_000_007E_01C6CFE6.EA631EB0
Content-Type: application/x-pkcs7-signature;
	name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIvzCCAkcw
ggGwoAMCAQICAw/hHzANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh
d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt
YWlsIElzc3VpbmcgQ0EwHhcNMDUxMTE3MTQyMjA4WhcNMDYxMTE3MTQyMjA4WjBBMR8wHQYDVQQD
ExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMR4wHAYJKoZIhvcNAQkBFg9tbG9hcjJAdWl1Yy5lZHUw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJp5iB7Q0iI384L6m7icGuMgqZtMHhEWskQ+p4Ru
2LHsQCgKF6eA7An5RzJi3d6qG/jIwrN7PklJEXb/RBuckfIEMOHMU9Uvu4ULX2NX+HMdkT4yeimk
EGcwRZ56e0KQYS6X6BndVc//Q4hnaP0goV+KKzHfGpDBOupEU7xzxNXRAgMBAAGjLDAqMBoGA1Ud
EQQTMBGBD21sb2FyMkB1aXVjLmVkdTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAJT/
rbMX7R4hm9B988Ilg+OK/PWzWQku6+eBe86gtmVoafMvCBeu7050RstkGnOrYtVxaekQdMwzVeAf
mTGNaTMwnW8g1DpRep5TtU8moU27SnDRumFby62JEabCC/SsLafV/3qIy4vTbe5J0y08/PpeiXTF
K+aPIa4tK5yN6nvqMIIDLTCCApagAwIBAgIBADANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMC
WkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFU
aGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lv
bjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxw
ZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTk2MDEwMTAwMDAwMFoXDTIwMTIzMTIzNTk1
OVowgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg
VG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24g
U2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTEr
MCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA1GnX1LCUZFtx6UfYDFG26nKRsIRefS0Nj3sS34UldSh0OkIsYyeflXtL
734Zhx2G6qPduc6WZBrCFG5ErHzmj+hND3EfQDimAKOHePb5lIZererAXnbr2RSjXW56fAylS1V/
Bhkpf56aJtVquzgkCGqYx7Hao5iR/Xnb5VrEHLkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zAN
BgkqhkiG9w0BAQQFAAOBgQDH7JJ+Tvj1lqVnYiqk8E0RYNBvjWBYYawmu1I1XAjPMPuoSpaKH2JC
I4wXD/S6ZJwXrEcp352YXtJsYHFcoqzceePnbgBHH7UNKOgCneSa/RP0ptl8sfjcXyMmCZGAc9AU
G95DqYMl8uacLxXK/qarigd1iwzdUYRr5PjRzneigTCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcN
AQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNh
cGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBD
QTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcw
MDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29u
c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz
dWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p
/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQq
E88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEAAaOB
lDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhh
d3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREE
IjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzR
UIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkb
AMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk1
3iSx0x1G/11fZU8xggLPMIICywIBATBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUg
Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwg
SXNzdWluZyBDQQIDD+EfMAkGBSsOAwIaBQCgggG8MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTA2MDkwNDEwNTY1MFowIwYJKoZIhvcNAQkEMRYEFK+o+1ySsJocSKZG
tMEbpRsGacFTMGcGCSqGSIb3DQEJDzFaMFgwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0G
CCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAcGBSsOAwIaMAoGCCqGSIb3DQIF
MHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0
aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5n
IENBAgMP4R8wegYLKoZIhvcNAQkQAgsxa6BpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3
dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1h
aWwgSXNzdWluZyBDQQIDD+EfMA0GCSqGSIb3DQEBAQUABIGAFqRfN5dm0FHtapnE5PVvqjC5q5Kh
JaQ+3yWZx7nTwS/BeGmAye27K9jszMA+FPg0OmeGRvwwQtHcdPHnDIF/ksuHQZ3HL0Cj9a7ztzJD
gnUbgkvxODzjnWz33F+DsWYl/9PY22sNpH4eMRIx+6lDwburiX3LqI8g21xAmI5K5lAAAAAAAAA=

------=_NextPart_000_007E_01C6CFE6.EA631EB0--