squid_ldap_group patch

Thu, 10 Jan 2008 08:11:58 -0800 

Hi,

I start to use Ldap authorization on squid to work integrated to
Active Directory for users authenticated by Negotiate method (using
kerberos), and once that the username has a @REALM appended to it, I
need to remove this, so I (with the help of a colleage that know C
much better that I) create a patch to strip kerberos realm from user
name in squid_ldap_group.

The patch is attached, and works for both, version 3.0 Stable1 and 2.6 Stable17.

My notes on use kerberos for authentication on AD and authorization
with Ldap are in http://klaubert.wordpress.com/

Best regards,

Klaubert Herr

--- squid_ldap_group.8.original	2008-01-10 11:08:21.000000000 -0200
+++ squid_ldap_group.8	2008-01-07 11:36:45.000000000 -0200
@@ -152,6 +152,10 @@
 Strip NT domain name component from user names (/ or \\ separated)
 .
 .TP
+.BI -K
+Strip Kerberos Realm component from user names (@ separated)
+.
+.TP
 .BI -d
 Debug mode where each step taken will get reported in detail.
 Useful for understanding what goes wrong if the results is

--- squid_ldap_group.c.original	2008-01-10 11:08:12.000000000 -0200
+++ squid_ldap_group.c	2008-01-04 19:35:09.000000000 -0200
@@ -215,6 +215,7 @@
     int port = LDAP_PORT;
     int use_extension_dn = 0;
     int strip_nt_domain = 0;
+    int strip_kerberos_realm = 0;
     int err = 0;
 
     setbuf(stdout, NULL);
@@ -370,6 +371,9 @@
 	case 'S':
 	    strip_nt_domain = 1;
 	    break;
+	case 'K':
+	    strip_kerberos_realm = 1;
+	    break;
 	default:
 	    fprintf(stderr, PROGRAM_NAME " ERROR: Unknown command line option '%c'\n", option);
 	    exit(1);
@@ -424,6 +428,7 @@
 #endif
 	fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n");
 	fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n");
+	fprintf(stderr, "\t-K\t\t\tStrip Kerberos realm from usernames\n");
 	fprintf(stderr, "\n");
 	fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
 	exit(1);
@@ -470,6 +475,12 @@
 	    if (u && u[1])
 		user = u + 1;
 	}
+	if (strip_kerberos_realm) {
+	   char *u = strchr(user, '@');
+      if (u!=NULL) {
+         *u = '\0';
+      }
+	}
 	if (use_extension_dn) {
 	    extension_dn = strtok(NULL, " \n");
 	    if (!extension_dn) {

Reply via email to