Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 944976 Details for
Bug 1150542
[RFE][PATCH] Add GSSAPI support for ldap authentication
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch to enable ldapgssapi
dhcp-4.2.6-ldapgssapi.patch (text/plain), 22.21 KB, created by
William Brown
on 2014-10-08 12:13:58 UTC
(
hide
)
Description:
Patch to enable ldapgssapi
Filename:
MIME Type:
Creator:
William Brown
Created:
2014-10-08 12:13:58 UTC
Size:
22.21 KB
patch
obsolete
>diff -uNrp dhcp-4.2.6.orig/configure.ac dhcp-4.2.6.work/configure.ac >--- dhcp-4.2.6.orig/configure.ac 2014-07-02 14:54:33.398000000 +0930 >+++ dhcp-4.2.6.work/configure.ac 2014-07-02 14:54:37.325000000 +0930 >@@ -700,20 +700,43 @@ AC_ARG_WITH(ldapcrypto, > [ldapcrypto=$withval], > [ldapcrypto=no]) > >+# Gssapi to allow LDAP to authenticate with a keytab >+AC_ARG_WITH(krb5, >+ AC_HELP_STRING([--with-krb5], >+ [enable krb5/gssapi authentication for OpenLDAP in dhcpd (default is no)]), >+ [krb5=$withval], >+ [krb5=no]) >+ > # OpenLDAP support is disabled by default, if enabled then SSL support is an > # extra optional that is also disabled by default. Enabling LDAP SSL support >-# implies enabling LDAP support. >-if test x$ldap = xyes || test x$ldapcrypto = xyes ; then >+# implies enabling LDAP support. Similarly, KRB5 support implies LDAP support, >+# but doesn't include SSL. The two are not dependant. >+if test x$ldap = xyes || test x$ldapcrypto = xyes || test x$krb5 = xyes; then > AC_SEARCH_LIBS(ldap_initialize, [ldap], , > AC_MSG_FAILURE([*** Cannot find ldap_initialize with -lldap - do you need to install an OpenLDAP2 Devel package?])) > AC_SEARCH_LIBS(ber_pvt_opt_on, [lber], , > AC_MSG_FAILURE([*** Cannot find ber_pvt_opt_on with -llber - do you need to install an OpenLDAP2 Devel package?])) >+ if test x$krb5 = xyes ; then >+ AC_SEARCH_LIBS(krb5_init_context, [krb5], , >+ AC_MSG_FAILURE([*** Cannot find krb5_init_context with -lkrb5 - do you need to install a Kerberos Devel package?])) >+ fi > >+ #Can this be done better? > if test x$ldapcrypto = xyes ; then >- AC_SUBST(LDAP_CFLAGS, ["-DLDAP_CONFIGURATION -DLDAP_USE_SSL"]) >+ if test x$krb5 = xyes; then >+ AC_SUBST(LDAP_CFLAGS, ["-DLDAP_CONFIGURATION -DLDAP_USE_SSL -DLDAP_USE_GSSAPI"]) >+ else >+ AC_SUBST(LDAP_CFLAGS, ["-DLDAP_CONFIGURATION -DLDAP_USE_SSL"]) >+ fi > else >- AC_SUBST(LDAP_CFLAGS, ["-DLDAP_CONFIGURATION"]) >+ if test x$krb5 = xyes; then >+ AC_SUBST(LDAP_CFLAGS, ["-DLDAP_CONFIGURATION -DLDAP_USE_GSSAPI"]) >+ else >+ AC_SUBST(LDAP_CFLAGS, ["-DLDAP_CONFIGURATION"]) >+ fi > fi >+ >+ > fi > > # Append selected warning levels to CFLAGS before substitution (but after >diff -uNrp dhcp-4.2.6.orig/includes/dhcpd.h dhcp-4.2.6.work/includes/dhcpd.h >--- dhcp-4.2.6.orig/includes/dhcpd.h 2014-07-02 14:54:31.684000000 +0930 >+++ dhcp-4.2.6.work/includes/dhcpd.h 2014-07-03 18:06:44.446937730 +0930 >@@ -101,7 +101,14 @@ typedef time_t TIME; > #if defined(LDAP_CONFIGURATION) > # include <ldap.h> > # include <sys/utsname.h> /* for uname() */ >-#endif >+# if defined(LDAP_USE_GSSAPI) >+# include <krb5.h> >+# include <string.h> >+# include <stdio.h> >+# include <time.h> >+# include <unistd.h> >+# endif /* GSSAPI */ >+#endif /* LDAP CONFIGURATION */ > > #if !defined (BYTE_NAME_HASH_SIZE) > # define BYTE_NAME_HASH_SIZE 401 /* Default would be ridiculous. */ >@@ -755,6 +762,10 @@ struct lease_state { > # define SV_LDAP_TLS_CIPHERS 76 > # define SV_LDAP_TLS_RANDFILE 77 > #endif >+#if defined (LDAP_USE_GSSAPI) >+# define SV_LDAP_GSSAPI_KEYTAB 78 >+# define SV_LDAP_GSSAPI_PRINCIPAL 79 >+#endif > #endif > > #if !defined (DEFAULT_DEFAULT_LEASE_TIME) >diff -uNrp dhcp-4.2.6.orig/server/krb_helper.c dhcp-4.2.6.work/server/krb_helper.c >--- dhcp-4.2.6.orig/server/krb_helper.c 1970-01-01 09:30:00.000000000 +0930 >+++ dhcp-4.2.6.work/server/krb_helper.c 2014-07-22 20:38:08.693549007 +0930 >@@ -0,0 +1,220 @@ >+/* krb_helper.c >+ >+ Helper routings for allowing LDAP to read configuration with GSSAPI/krb auth */ >+ >+/* >+ * Copyright (c) 2014 William B. >+ * All rights reserved. >+ * >+ * Redistribution and use in source and binary forms, with or without >+ * modification, are permitted provided that the following conditions >+ * are met: >+ * >+ * 1. Redistributions of source code must retain the above copyright >+ * notice, this list of conditions and the following disclaimer. >+ * 2. Redistributions in binary form must reproduce the above copyright >+ * notice, this list of conditions and the following disclaimer in the >+ * documentation and/or other materials provided with the distribution. >+ * 3. Neither the name of The Internet Software Consortium nor the names >+ * of its contributors may be used to endorse or promote products derived >+ * from this software without specific prior written permission. >+ * >+ * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND >+ * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, >+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF >+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE >+ * DISCLAIMED. IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR >+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF >+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND >+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, >+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT >+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF >+ * SUCH DAMAGE. >+ * >+ * This helper was written by William Brown <william@adelaide.edu.au>, >+ * inspired by krb5_helper.c from bind-dyndb-ldap by Simo Sorce (Redhat) >+ */ >+ >+#include "dhcpd.h" >+#include "krb_helper.h" >+ >+#if defined(LDAP_USE_GSSAPI) >+ >+//#include "ktinit.h" >+//#include <string.h> >+//#include <krb5.h> >+//#include <stdio.h> >+//#include <unistd.h> >+//#include <time.h> >+ >+#define KRB_DEFAULT_KEYTAB "FILE:/etc/dhcp/dhcp.keytab" >+#define KRB_MIN_TIME 300 >+ >+#define CHECK_KRB5(ctx, err, msg, ...) \ >+ do { \ >+ if (err) { \ >+ const char * errmsg = krb5_get_error_message(ctx, err); \ >+ log_error("Err: %s -> %s\n", msg, errmsg); \ >+ result = ISC_R_FAILURE; \ >+ goto cleanup; \ >+ } \ >+ } while (0) >+ >+#define CHECK(ret_code, msg) \ >+ if (ret_code != 0) { \ >+ log_error("Error, %i %s\n", ret_code, msg); \ >+ goto cleanup; \ >+ } >+ >+static isc_result_t >+check_credentials(krb5_context context, krb5_ccache ccache, krb5_principal service) >+{ >+ char *realm = NULL; >+ krb5_creds creds; >+ krb5_creds mcreds; >+ krb5_error_code krberr; >+ krb5_timestamp now; >+ isc_result_t result = ISC_R_FAILURE; >+ >+ memset(&mcreds, 0, sizeof(mcreds)); >+ memset(&creds, 0, sizeof(creds)); >+ >+ krberr = krb5_get_default_realm(context, &realm); >+ CHECK_KRB5(context, krberr, "Failed to retrieve default realm"); >+ >+ krberr = krb5_build_principal(context, &mcreds.server, >+ strlen(realm), realm, >+ "krbtgt", realm, NULL); >+ CHECK_KRB5(context, krberr, "Failed to build 'krbtgt/REALM' principal"); >+ >+ mcreds.client = service; >+ >+ krberr = krb5_cc_retrieve_cred(context, ccache, 0, &mcreds, &creds); >+ >+ if (krberr) { >+ const char * errmsg = krb5_get_error_message(context, krberr); >+ log_error("Credentials are not present in cache (%s)\n", errmsg); >+ krb5_free_error_message(context, errmsg); >+ result = ISC_R_FAILURE; >+ goto cleanup; >+ } >+ CHECK_KRB5(context, krberr, "Credentials are not present in cache "); >+ >+ krberr = krb5_timeofday(context, &now); >+ CHECK_KRB5(context, krberr, "Failed to get time of day"); >+ >+ >+ if (now > (creds.times.endtime + KRB_MIN_TIME)) { >+ log_error("Credentials cache expired"); >+ result = ISC_R_FAILURE; >+ goto cleanup; >+ } else { >+ char buf[255]; >+ char fill = ' '; >+ krb5_timestamp_to_sfstring(creds.times.endtime, buf, 16, &fill); >+ log_info("Credentials valid til %s\n", buf); >+ } >+ >+ result = ISC_R_SUCCESS; >+ >+cleanup: >+ krb5_free_cred_contents(context, &creds); >+ if (mcreds.server) krb5_free_principal(context, mcreds.server); >+ if (realm) krb5_free_default_realm(context, realm); >+ return result; >+} >+ >+isc_result_t >+krb5_get_tgt(const char *principal, const char *keyfile) >+{ >+ isc_result_t result = ISC_R_FAILURE; >+ char *ccname = NULL; >+ krb5_context context = NULL; >+ krb5_error_code krberr; >+ krb5_ccache ccache = NULL; >+ krb5_principal kprincpw = NULL; >+ krb5_creds my_creds; >+ krb5_creds * my_creds_ptr = NULL; >+ krb5_get_init_creds_opt options; >+ krb5_keytab keytab = NULL; >+ int ret; >+ >+ if (keyfile == NULL || keyfile[0] == '\0') { >+ keyfile = KRB_DEFAULT_KEYTAB; >+ log_info("Using default keytab %s\n", keyfile); >+ } else { >+ if (strncmp(keyfile, "FILE:", 5) != 0) { >+ log_error("Unknown keytab path format: Does it start with FILE:?\n"); >+ return ISC_R_FAILURE; >+ } >+ } >+ >+ krberr = krb5_init_context(&context); >+ CHECK_KRB5(NULL, krberr, "Kerberos context initialization failed"); >+ >+ result = ISC_R_SUCCESS; >+ >+ ccname = "MEMORY:dhcp_ld_krb5_cc"; >+ log_info("Using ccache %s\n" , ccname); >+ >+ ret = setenv("KRB5CCNAME", ccname, 1); >+ if (ret == -1) { >+ log_error("Failed to setup environment\n"); >+ result = ISC_R_FAILURE; >+ goto cleanup; >+ } >+ >+ krberr = krb5_cc_resolve(context, ccname, &ccache); >+ CHECK_KRB5(context, krberr, "Couldnt resolve ccache '%s'", ccname); >+ >+ krberr = krb5_parse_name(context, principal, &kprincpw); >+ CHECK_KRB5(context, krberr, "Failed to parse princ '%s'", princpal); >+ >+ result = check_credentials(context, ccache, kprincpw); >+ if (result == ISC_R_SUCCESS) { >+ log_info("Found valid kerberos credentials\n"); >+ goto cleanup; >+ } else { >+ log_error("No valid krb5 credentials\n"); >+ } >+ >+ krberr = krb5_kt_resolve(context, keyfile, &keytab); >+ CHECK_KRB5(context, krberr, >+ "Failed to resolve kt files '%s'\n", keyfile); >+ >+ memset(&my_creds, 0, sizeof(my_creds)); >+ memset(&options, 0, sizeof(options)); >+ >+ krb5_get_init_creds_opt_set_tkt_life(&options, KRB_MIN_TIME * 2); >+ krb5_get_init_creds_opt_set_address_list(&options, NULL); >+ krb5_get_init_creds_opt_set_forwardable(&options, 0); >+ krb5_get_init_creds_opt_set_proxiable(&options, 0); >+ >+ krberr = krb5_get_init_creds_keytab(context, &my_creds, kprincpw, >+ keytab, 0, NULL, &options); >+ CHECK_KRB5(context, krberr, "Failed to get initial credentials TGT\n"); >+ >+ my_creds_ptr = &my_creds; >+ >+ krberr = krb5_cc_initialize(context, ccache, kprincpw); >+ CHECK_KRB5(context, krberr, "Failed to init ccache\n"); >+ >+ krberr = krb5_cc_store_cred(context, ccache, &my_creds); >+ CHECK_KRB5(context, krberr, "Failed to store credentials\n"); >+ >+ result = ISC_R_SUCCESS; >+ log_info("Successfully init krb tgt %s", principal); >+ >+cleanup: >+ if (ccache) krb5_cc_close(context, ccache); >+ if (keytab) krb5_kt_close(context, keytab); >+ if (kprincpw) krb5_free_principal(context, kprincpw); >+ if (my_creds_ptr) krb5_free_cred_contents(context, &my_creds); >+ if (context) krb5_free_context(context); >+ return result; >+} >+ >+#endif >+ >diff -uNrp dhcp-4.2.6.orig/server/krb_helper.h dhcp-4.2.6.work/server/krb_helper.h >--- dhcp-4.2.6.orig/server/krb_helper.h 1970-01-01 09:30:00.000000000 +0930 >+++ dhcp-4.2.6.work/server/krb_helper.h 2014-07-02 14:54:36.926000000 +0930 >@@ -0,0 +1,40 @@ >+/* krb_helper.h >+ >+ Helper routings for allowing LDAP to read configuration with GSSAPI/krb auth */ >+ >+/* >+ * Copyright (c) 2014 William B. >+ * All rights reserved. >+ * >+ * Redistribution and use in source and binary forms, with or without >+ * modification, are permitted provided that the following conditions >+ * are met: >+ * >+ * 1. Redistributions of source code must retain the above copyright >+ * notice, this list of conditions and the following disclaimer. >+ * 2. Redistributions in binary form must reproduce the above copyright >+ * notice, this list of conditions and the following disclaimer in the >+ * documentation and/or other materials provided with the distribution. >+ * 3. Neither the name of The Internet Software Consortium nor the names >+ * of its contributors may be used to endorse or promote products derived >+ * from this software without specific prior written permission. >+ * >+ * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND >+ * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, >+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF >+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE >+ * DISCLAIMED. IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR >+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF >+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND >+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, >+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT >+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF >+ * SUCH DAMAGE. >+ * >+ * This helper was written by William Brown <william@adelaide.edu.au>, >+ * inspired by krb5_helper.c from bind-dyndb-ldap by Simo Sorce (Redhat) >+ */ >+ >+isc_result_t krb5_get_tgt(const char *, const char *); >diff -uNrp dhcp-4.2.6.orig/server/ldap.c dhcp-4.2.6.work/server/ldap.c >--- dhcp-4.2.6.orig/server/ldap.c 2014-07-02 14:54:32.926000000 +0930 >+++ dhcp-4.2.6.work/server/ldap.c 2014-07-22 20:20:51.234681558 +0930 >@@ -39,10 +39,16 @@ > > #include "dhcpd.h" > #include <signal.h> >-#include <errno.h> >+//#include <errno.h> >+#define LDAP_DEBUG 1 > > #if defined(LDAP_CONFIGURATION) > >+#if defined(LDAP_USE_GSSAPI) >+#include <sasl/sasl.h> >+#include "krb_helper.h" >+#endif >+ > #if defined(LDAP_CASA_AUTH) > #include "ldap_casa.h" > #endif >@@ -69,6 +75,20 @@ static char *ldap_tls_ca_file = NULL, > *ldap_tls_ciphers = NULL, > *ldap_tls_randfile = NULL; > #endif >+#if defined (LDAP_USE_GSSAPI) >+static char *ldap_gssapi_keytab = NULL, >+ *ldap_gssapi_principal = NULL; >+ >+static struct ldap_sasl_instance { >+ char *sasl_mech; >+ char *sasl_realm; >+ char *sasl_authz_id; >+ char *sasl_authc_id; >+ char *sasl_password; >+}; >+ >+static struct ldap_sasl_instance *ldap_sasl_inst = NULL; >+#endif > static struct ldap_config_stack *ldap_stack = NULL; > > typedef struct ldap_dn_node { >@@ -545,6 +565,62 @@ _do_lookup_dhcp_enum_option (struct opti > return (ret); > } > >+#if defined(LDAP_USE_GSSAPI) >+static int >+_ldap_sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *sin) >+{ >+ sasl_interact_t *in; >+ struct ldap_sasl_instance *ldap_inst = defaults; >+ int ret = LDAP_OTHER; >+ size_t size; >+ >+ if (ld == NULL || sin == NULL) >+ return LDAP_PARAM_ERROR; >+ >+ log_info("doing interactive bind"); >+ for (in = sin; in != NULL && in->id != SASL_CB_LIST_END; in++) { >+ switch (in->id) { >+ case SASL_CB_USER: >+ log_info("got request for SASL_CB_USER %s", ldap_inst->sasl_authz_id); >+ size = strlen(ldap_inst->sasl_authz_id); >+ in->result = ldap_inst->sasl_authz_id; >+ in->len = size; >+ ret = LDAP_SUCCESS; >+ break; >+ case SASL_CB_GETREALM: >+ log_info("got request for SASL_CB_GETREALM %s", ldap_inst->sasl_realm); >+ size = strlen(ldap_inst->sasl_realm); >+ in->result = ldap_inst->sasl_realm; >+ in->len = size; >+ ret = LDAP_SUCCESS; >+ break; >+ case SASL_CB_AUTHNAME: >+ log_info("got request for SASL_CB_AUTHNAME %s", ldap_inst->sasl_authc_id); >+ size = strlen(ldap_inst->sasl_authc_id); >+ in->result = ldap_inst->sasl_authc_id; >+ in->len = size; >+ ret = LDAP_SUCCESS; >+ break; >+ case SASL_CB_PASS: >+ log_info("got request for SASL_CB_PASS %s", ldap_inst->sasl_password); >+ size = strlen(ldap_inst->sasl_password); >+ in->result = ldap_inst->sasl_password; >+ in->len = size; >+ ret = LDAP_SUCCESS; >+ break; >+ default: >+ goto cleanup; >+ } >+ } >+ return ret; >+ >+cleanup: >+ in->result = NULL; >+ in->len = 0; >+ return LDAP_OTHER; >+} >+#endif >+ > int > ldap_rebind_cb (LDAP *ld, LDAP_CONST char *url, ber_tag_t request, ber_int_t msgid, void *parms) > { >@@ -595,20 +671,48 @@ ldap_rebind_cb (LDAP *ld, LDAP_CONST cha > } > #endif > >- >- if (ldap_username != NULL || *ldap_username != '\0') >+ if (ldap_username != NULL && *ldap_username != '\0') > { >- who = ldap_username; >+#if defined(LDAP_USE_GSSAPI) >+ if (ldap_gssapi_principal != NULL) { >+ log_error("Cannot use gssapi and username / password simultaneously"); >+ ldap_stop(); >+ return; >+ } >+#endif > creds.bv_val = strdup(ldap_password); > creds.bv_len = strlen(ldap_password); >- } > >- if ((ret = ldap_sasl_bind_s (ld, who, LDAP_SASL_SIMPLE, &creds, >- NULL, NULL, NULL)) != LDAP_SUCCESS) >- { >- log_error ("Error: Cannot login into ldap server %s:%d: %s", >- ldapurl->lud_host, ldapurl->lud_port, ldap_err2string (ret)); >+ if ((ret = ldap_sasl_bind_s (ld, ldap_username, LDAP_SASL_SIMPLE, >+ &creds, NULL, NULL, NULL)) != LDAP_SUCCESS) >+ { >+ log_error ("Error: Cannot login into ldap server %s:%d: %s", >+ ldap_server, ldap_port, ldap_err2string (ret)); >+ ldap_stop(); >+ return ret; >+ } >+#if defined(LDAP_USE_GSSAPI) >+ } else { >+ if (ldap_gssapi_principal != NULL) { >+ krb5_get_tgt(ldap_gssapi_principal, ldap_gssapi_keytab); >+ if ((ret = ldap_sasl_interactive_bind_s(ld, NULL, ldap_sasl_inst->sasl_mech, >+ NULL, NULL, LDAP_SASL_AUTOMATIC, >+ _ldap_sasl_interact, ldap_sasl_inst) >+ ) != LDAP_SUCCESS) >+ { >+ log_error ("Error: Cannot SASL bind to ldap server %s:%d: %s", >+ ldap_server, ldap_port, ldap_err2string (ret)); >+ char *msg=NULL; >+ ldap_get_option( ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg); >+ log_error ("\tAdditional info: %s", msg); >+ ldap_memfree(msg); >+ ldap_stop(); >+ return ret; >+ } >+ } >+#endif > } >+ > return ret; > } > >@@ -618,6 +722,12 @@ ldap_start (void) > struct option_state *options; > int ret, version; > char *uri = NULL; >+#if defined(LDAP_USE_GSSAPI) >+ char *gssapi_realm = NULL; >+ char *gssapi_user = NULL; >+ char *running = NULL; >+ const char *gssapi_delim = "@"; >+#endif > struct berval creds; > > if (ld != NULL) >@@ -657,6 +767,26 @@ ldap_start (void) > ldap_tls_randfile = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_RANDFILE); > } > #endif >+#if defined (LDAP_USE_GSSAPI) >+ ldap_gssapi_keytab = _do_lookup_dhcp_string_option (options, SV_LDAP_GSSAPI_KEYTAB); >+ ldap_gssapi_principal = _do_lookup_dhcp_string_option (options, SV_LDAP_GSSAPI_PRINCIPAL); >+ >+ running = strdup(ldap_gssapi_principal); >+ gssapi_user = strtok(running, gssapi_delim); >+ gssapi_realm = strtok(NULL, gssapi_delim); >+ ldap_sasl_inst = malloc(sizeof(struct ldap_sasl_instance)); >+ if (ldap_sasl_inst == NULL) { >+ log_error("Could not allocate memory for sasl instance! Can not run!"); >+ ldap_stop(); >+ return; >+ } >+ ldap_sasl_inst->sasl_mech = ber_strdup("GSSAPI"); >+ ldap_sasl_inst->sasl_realm = ber_strdup(gssapi_realm); >+ ldap_sasl_inst->sasl_authz_id = ber_strdup(gssapi_user); >+ ldap_sasl_inst->sasl_authc_id = NULL; >+ ldap_sasl_inst->sasl_password = NULL; //"" before >+ free(running); >+#endif > > #if defined (LDAP_CASA_AUTH) > if (!load_uname_pwd_from_miCASA(&ldap_username,&ldap_password)) >@@ -871,6 +1001,13 @@ ldap_start (void) > > if (ldap_username != NULL && *ldap_username != '\0') > { >+#if defined(LDAP_USE_GSSAPI) >+ if (ldap_gssapi_principal != NULL) { >+ log_error("Cannot use gssapi and username / password simultaneously"); >+ ldap_stop(); >+ return; >+ } >+#endif > creds.bv_val = strdup(ldap_password); > creds.bv_len = strlen(ldap_password); > >@@ -882,6 +1019,26 @@ ldap_start (void) > ldap_stop(); > return; > } >+#if defined(LDAP_USE_GSSAPI) >+ } else { >+ if (ldap_gssapi_principal != NULL) { >+ krb5_get_tgt(ldap_gssapi_principal, ldap_gssapi_keytab); >+ if ((ret = ldap_sasl_interactive_bind_s(ld, NULL, ldap_sasl_inst->sasl_mech, >+ NULL, NULL, LDAP_SASL_AUTOMATIC, >+ _ldap_sasl_interact, ldap_sasl_inst) >+ ) != LDAP_SUCCESS) >+ { >+ log_error ("Error: Cannot SASL bind to ldap server %s:%d: %s", >+ ldap_server, ldap_port, ldap_err2string (ret)); >+ char *msg=NULL; >+ ldap_get_option( ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg); >+ log_error ("\tAdditional info: %s", msg); >+ ldap_memfree(msg); >+ ldap_stop(); >+ return; >+ } >+ } >+#endif > } > > #if defined (DEBUG_LDAP) >diff -uNrp dhcp-4.2.6.orig/server/Makefile.am dhcp-4.2.6.work/server/Makefile.am >--- dhcp-4.2.6.orig/server/Makefile.am 2014-07-02 14:54:32.343000000 +0930 >+++ dhcp-4.2.6.work/server/Makefile.am 2014-07-02 14:54:36.921000000 +0930 >@@ -10,7 +10,7 @@ dist_sysconf_DATA = dhcpd.conf.example > sbin_PROGRAMS = dhcpd > dhcpd_SOURCES = dhcpd.c dhcp.c bootp.c confpars.c db.c class.c failover.c \ > omapi.c mdb.c stables.c salloc.c ddns.c dhcpleasequery.c \ >- dhcpv6.c mdb6.c ldap.c ldap_casa.c probes.d trace.h >+ dhcpv6.c mdb6.c ldap.c ldap_casa.c krb_helper.c probes.d trace.h > > dhcpd_CFLAGS = $(LDAP_CFLAGS) > dhcpd_LDADD = ../common/libdhcp.a ../omapip/libomapi.la \ >diff -uNrp dhcp-4.2.6.orig/server/stables.c dhcp-4.2.6.work/server/stables.c >--- dhcp-4.2.6.orig/server/stables.c 2014-07-02 14:54:33.027000000 +0930 >+++ dhcp-4.2.6.work/server/stables.c 2014-07-03 18:10:53.990786403 +0930 >@@ -259,6 +259,10 @@ static struct option server_options[] = > { "ldap-tls-ciphers", "t", &server_universe, 76, 1 }, > { "ldap-tls-randfile", "t", &server_universe, 77, 1 }, > #endif /* LDAP_USE_SSL */ >+#if defined(LDAP_USE_GSSAPI) >+ { "ldap-gssapi-keytab", "t", &server_universe, 78, 1}, >+ { "ldap-gssapi-principal", "t", &server_universe, 79, 1}, >+#endif /* LDAP_USE_GSSAPI */ > #endif /* LDAP_CONFIGURATION */ > { NULL, NULL, NULL, 0, 0 } > };
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=944976">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1150542
: 944976