405
405
#ifdef USE_KRB5_USEROK
407
k5_principal_is_authorized(struct auth_request *request, const char *name)
409
const char *value, *const *authorized_names, *const *tmp;
411
value = auth_fields_find(request->extra_fields, "k5principals");
415
authorized_names = t_strsplit_spaces(value, ",");
416
for (tmp = authorized_names; *tmp != NULL; tmp++) {
417
if (strcmp(*tmp, name) == 0) {
418
auth_request_log_debug(request, "gssapi",
419
"authorized by k5principals field: %s", name);
407
427
mech_gssapi_krb5_userok(struct gssapi_auth_request *request,
408
428
gss_name_t name, const char *login_user,
409
429
bool check_name_type)
413
433
krb5_error_code krb5_err;
414
434
gss_OID name_type;
415
435
const char *princ_display_name;
436
bool authorized = FALSE;
418
438
/* Parse out the principal's username */
419
439
if (get_display_name(&request->auth_request, name, &name_type,
443
463
"krb5_parse_name() failed: %d",
466
/* See if the principal is in the list of authorized
467
* principals for the user */
468
authorized = k5_principal_is_authorized(&request->auth_request,
446
471
/* See if the principal is authorized to act as the
448
ret = krb5_kuserok(ctx, princ, login_user);
472
specified (UNIX) user */
474
authorized = krb5_kuserok(ctx, princ, login_user);
449
476
krb5_free_principal(ctx, princ);
451
478
krb5_free_context(ctx);
508
535
auth_request_log_info(auth_request, "gssapi",
509
536
"Cross-realm authentication not supported "
510
"(authz_name=%s)", login_user);
537
"(authn_name=%s, authz_name=%s)", request->auth_request.original_username, login_user);
543
gssapi_credentials_callback(enum passdb_result result,
544
const unsigned char *credentials ATTR_UNUSED,
545
size_t size ATTR_UNUSED,
546
struct auth_request *request)
548
struct gssapi_auth_request *gssapi_request =
549
(struct gssapi_auth_request *)request;
551
/* We don't care much whether the lookup succeeded or not because GSSAPI
552
* does not strictly require a passdb. But if a passdb is configured,
553
* now the k5principals field will have been filled in. */
555
case PASSDB_RESULT_INTERNAL_FAILURE:
556
auth_request_internal_failure(request);
558
case PASSDB_RESULT_USER_DISABLED:
559
case PASSDB_RESULT_PASS_EXPIRED:
560
/* user is explicitly disabled, don't allow it to log in */
561
auth_request_fail(request);
563
case PASSDB_RESULT_SCHEME_NOT_AVAILABLE:
564
case PASSDB_RESULT_USER_UNKNOWN:
565
case PASSDB_RESULT_PASSWORD_MISMATCH:
566
case PASSDB_RESULT_OK:
570
if (mech_gssapi_userok(gssapi_request, request->user) == 0)
571
auth_request_success(request, NULL, 0);
573
auth_request_fail(request);
516
577
mech_gssapi_unwrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf)
568
if (mech_gssapi_userok(request, login_user) < 0)
629
/* Set username early, so that the credential lookup is for the
630
* authorizing user. This means the username in subsequent log
631
* messagess will be the authorization name, not the authentication
632
* name, which may mean that future log messages should be adjusted
633
* to log the right thing. */
571
634
if (!auth_request_set_username(auth_request, login_user, &error)) {
572
635
auth_request_log_info(auth_request, "gssapi",
573
636
"authz_name: %s", error);
577
auth_request_success(auth_request, NULL, 0);
640
/* Continue in callback once auth_request is populated with passdb
642
auth_request->passdb_success = TRUE; /* default to success */
643
auth_request_lookup_credentials(&request->auth_request, "",
644
gssapi_credentials_callback);
added
removed
src/auth/mech-gssapi.c
