diff -ru trunk/acinclude/krb5.m4 trunk-mm/acinclude/krb5.m4 --- trunk/acinclude/krb5.m4 2013-09-28 00:37:39.207515000 +0100 +++ trunk-mm/acinclude/krb5.m4 2014-08-10 11:32:05.165642710 +0100 @@ -140,22 +140,26 @@ AC_DEFUN([SQUID_CHECK_WORKING_GSSAPI], [ AC_CACHE_CHECK([for working gssapi], squid_cv_working_gssapi, [ AC_RUN_IFELSE([AC_LANG_SOURCE([[ -#ifdef HAVE_HEIMDAL_KERBEROS -#ifdef HAVE_GSSAPI_GSSAPI_H +#if USE_HEIMDAL_KRB5 +#if HAVE_GSSAPI_GSSAPI_H #include -#elif defined(HAVE_GSSAPI_H) +#elif HAVE_GSSAPI_H #include #endif +#elif USE_GNUGSS +#if HAVE_GSS_H +#include +#endif #else -#ifdef HAVE_GSSAPI_GSSAPI_H +#if HAVE_GSSAPI_GSSAPI_H #include -#elif defined(HAVE_GSSAPI_H) +#elif HAVE_GSSAPI_H #include #endif -#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H +#if HAVE_GSSAPI_GSSAPI_KRB5_H #include #endif -#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H +#if HAVE_GSSAPI_GSSAPI_GENERIC_H #include #endif #endif @@ -170,29 +174,35 @@ return 0; } ]])], [ squid_cv_working_gssapi=yes ], [ squid_cv_working_gssapi=no ], [:])]) +if test "x$squid_cv_working_gssapi" = "xno" -a `echo $LIBS | grep -i -c "\-L"` -gt 0; then + AC_MSG_NOTICE([Check Runtime library path !]) +fi ]) - dnl check for a working spnego, and set squid_cv_have_spnego AC_DEFUN([SQUID_CHECK_SPNEGO_SUPPORT], [ AC_CACHE_CHECK([for spnego support], squid_cv_have_spnego, [ AC_RUN_IFELSE([AC_LANG_SOURCE([[ -#ifdef HAVE_HEIMDAL_KERBEROS -#ifdef HAVE_GSSAPI_GSSAPI_H +#if USE_HEIMDAL_KRB5 +#if HAVE_GSSAPI_GSSAPI_H #include -#elif defined(HAVE_GSSAPI_H) +#elif HAVE_GSSAPI_H #include #endif +#elif USE_GNUGSS +#if HAVE_GSS_H +#include +#endif #else -#ifdef HAVE_GSSAPI_GSSAPI_H +#if HAVE_GSSAPI_GSSAPI_H #include -#elif defined(HAVE_GSSAPI_H) +#elif HAVE_GSSAPI_H #include #endif -#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H +#if HAVE_GSSAPI_GSSAPI_KRB5_H #include #endif -#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H +#if HAVE_GSSAPI_GSSAPI_GENERIC_H #include #endif #endif @@ -223,7 +233,7 @@ AC_DEFUN([SQUID_CHECK_WORKING_KRB5],[ AC_CACHE_CHECK([for working krb5], squid_cv_working_krb5, [ AC_RUN_IFELSE([AC_LANG_SOURCE([[ -#ifdef HAVE_KRB5_H +#if HAVE_KRB5_H #if HAVE_BROKEN_SOLARIS_KRB5_H #if defined(__cplusplus) #define KRB5INT_BEGIN_DECLS extern "C" { @@ -250,4 +260,83 @@ return 0; } ]])], [ squid_cv_working_krb5=yes ], [ squid_cv_working_krb5=no ],[:])]) +if test "x$squid_cv_working_krb5" = "xno" -a `echo $LIBS | grep -i -c "\-L"` -gt 0; then + AC_MSG_NOTICE([Check Runtime library path !]) +fi ]) + + +dnl checks for existence of krb5 functions +AC_DEFUN([SQUID_CHECK_KRB5_FUNCS],[ + + AC_CHECK_LIB(krb5,krb5_get_err_text, + AC_DEFINE(HAVE_KRB5_GET_ERR_TEXT,1, + [Define to 1 if you have krb5_get_err_text]),) + AC_CHECK_LIB(krb5,krb5_get_error_message, + AC_DEFINE(HAVE_KRB5_GET_ERROR_MESSAGE,1, + [Define to 1 if you have krb5_get_error_message]),) + AC_CHECK_DECLS(krb5_kt_free_entry,,,[#include ]) + AC_CHECK_TYPE(krb5_pac, + AC_DEFINE(HAVE_KRB5_PAC,1, + [Define to 1 if you have krb5_pac]),, + [#include ]) + AC_CHECK_LIB(krb5,krb5_kt_free_entry, + AC_DEFINE(HAVE_KRB5_KT_FREE_ENTRY,1, + [Define to 1 if you have krb5_kt_free_entry]),) + AC_CHECK_LIB(krb5,krb5_get_init_creds_keytab, + AC_DEFINE(HAVE_GET_INIT_CREDS_KEYTAB,1, + [Define to 1 if you have krb5_get_init_creds_keytab]),) + AC_CHECK_LIB(krb5,krb5_get_max_time_skew, + AC_DEFINE(HAVE_KRB5_GET_MAX_TIME_SKEW,1, + [Define to 1 if you have krb5_get_max_time_skew]),) + AC_CHECK_LIB(krb5,krb5_get_profile, + AC_DEFINE(HAVE_KRB5_GET_PROFILE,1, + [Define to 1 if you have krb5_get_profile]),) + AC_CHECK_LIB(krb5,profile_get_integer, + AC_DEFINE(HAVE_PROFILE_GET_INTEGER,1, + [Define to 1 if you have profile_get_integer]),) + AC_CHECK_LIB(krb5,profile_release, + AC_DEFINE(HAVE_PROFILE_RELEASE,1, + [Define to 1 if you have profile_release]),) + AC_CHECK_LIB(krb5,krb5_get_renewed_creds, + AC_DEFINE(HAVE_KRB5_GET_RENEWED_CREDS,1, + [Define to 1 if you have krb5_get_renewed_creds]),) + AC_CHECK_LIB(krb5,krb5_principal_get_realm, + AC_DEFINE(HAVE_KRB5_PRINCIPAL_GET_REALM,1, + [Define to 1 if you have krb5_principal_get_realm]),) + AC_CHECK_LIB(krb5, krb5_get_init_creds_opt_alloc, + AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC,1, + [Define to 1 if you have krb5_get_init_creds_opt_alloc]),) + AC_MSG_CHECKING([for krb5_get_init_creds_free requires krb5_context]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #include + ]],[[krb5_context context; + krb5_get_init_creds_opt *options; + krb5_get_init_creds_opt_free(context, options)]])],[ + AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_FREE_CONTEXT,1, + [Define to 1 if you krb5_get_init_creds_free requires krb5_context]) + AC_MSG_RESULT(yes) + ],[AC_MSG_RESULT(no)],[AC_MSG_RESULT(no)]) + + + AC_CHECK_FUNCS(gss_map_name_to_any, + AC_DEFINE(HAVE_GSS_MAP_ANY_TO_ANY,1, + [Define to 1 if you have gss_map_name_to_any]),) + AC_CHECK_FUNCS(gsskrb5_extract_authz_data_from_sec_context, + AC_DEFINE(HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT,1, + [Define to 1 if you have gsskrb5_extract_authz_data_from_sec_context]),) + + SQUID_CHECK_KRB5_CONTEXT_MEMORY_CACHE + SQUID_DEFINE_BOOL(HAVE_KRB5_MEMORY_CACHE,$squid_cv_memory_cache, + [Define if kerberos has MEMORY: cache support]) + + SQUID_CHECK_WORKING_GSSAPI + SQUID_DEFINE_BOOL(HAVE_GSSAPI,$squid_cv_working_gssapi,[GSSAPI support]) + + SQUID_CHECK_SPNEGO_SUPPORT + SQUID_DEFINE_BOOL(HAVE_SPNEGO,$squid_cv_have_spnego,[SPNEGO support]) + + SQUID_CHECK_WORKING_KRB5 + SQUID_DEFINE_BOOL(HAVE_KRB5,$squid_cv_working_krb5,[KRB5 support]) +]) + diff -ru trunk/configure.ac trunk-mm/configure.ac --- trunk/configure.ac 2014-07-22 19:57:06.041620000 +0100 +++ trunk-mm/configure.ac 2014-08-10 11:32:05.168642710 +0100 @@ -1345,6 +1345,684 @@ AM_CONDITIONAL(ENABLE_SSL,[ test "x$with_openssl" = "xyes" ]) AC_SUBST(SSLLIB) +dnl User may specify MIT Kerberos is needed from a non-standard location +AC_ARG_WITH(mit-krb5, + AS_HELP_STRING([--with-mit-krb5=PATH], + [Compile with the MIT Kerberos libraries. The path to + the MIT Kerberos development libraries and headers + installation can be specified if outside of the + system standard directories]), [ +case "$with_mit_krb5" in + yes|no) + : # Nothing special to do here + ;; + *) + if test ! -d "$withval" ; then + AC_MSG_ERROR([--with-mit-krb5 path does not point to a directory]) + fi + if test -d "$with_mit_krb5/lib64" ; then + LIB_KRB5_PATH="-L$with_mit_krb5/lib64 -L$with_mit_krb5/lib" + else + LIB_KRB5_PATH="-L$with_mit_krb5/lib" + fi + CXXFLAGS="-I$with_mit_krb5/include $CXXFLAGS" + krb5confpath="$with_mit_krb5/bin" + with_mit_krb5=yes +esac +]) +AH_TEMPLATE(USE_MIT_KRB5,[MIT Kerberos support is available]) +AH_TEMPLATE(USE_SOLARIS_KRB5,[Solaris Kerberos support is available]) + +dnl User may specify Heimdal Kerberos is needed from a non-standard location +AC_ARG_WITH(heimdal-krb5, + AS_HELP_STRING([--with-heimdal-krb5=PATH], + [Compile with the Heimdal Kerberos libraries. The path to + the Heimdal Kerberos development libraries and headers + installation can be specified if outside of the + system standard directories]), [ +case "$with_heimdal_krb5" in + yes|no) + : # Nothing special to do here + ;; + *) + if test ! -d "$withval" ; then + AC_MSG_ERROR([--with-heimdal-krb5 path does not point to a directory]) + fi + if test -d "$with_heimdal_krb5/lib64" ; then + LIB_KRB5_PATH="-L$with_heimdal_krb5/lib64 -L$with_heimdal_krb5/lib" + else + LIB_KRB5_PATH="-L$with_heimdal_krb5/lib" + fi + CXXFLAGS="-I$with_heimdal_krb5/include $CXXFLAGS" + krb5confpath="$with_heimdal_krb5/bin" + with_heimdal_krb5=yes +esac +]) +AH_TEMPLATE(USE_HEIMDAL_KRB5,[Heimdal Kerberos support is available]) + + + +dnl User may specify GNU gss is needed from a non-standard location +AC_ARG_WITH(gnugss, + AS_HELP_STRING([--with-gnugss=PATH], + [Compile with the GNU gss libraries. The path to + the GNU gss development libraries and headers + installation can be specified if outside of the + system standard directories]), [ +case "$with_gnugss" in + yes|no) + : # Nothing special to do here + ;; + *) + if test ! -d "$withval" ; then + AC_MSG_ERROR([--with-gnugss path does not point to a directory]) + fi + if test ! -d "$with_gnugss/lib64" ; then + LIB_KRB5_PATH="-L$with_gnugss/lib64 -L$with_gnugss/lib" + else + LIB_KRB5_PATH="-L$with_gnugss/lib" + fi + CXXFLAGS="-I$with_gnugss/include $CXXFLAGS" + krb5confpath= + with_gnugss=yes +esac +]) +AH_TEMPLATE(USE_GNUGSS,[GNU gss support is available]) + +# determine krb5 conflicts +ac_with_krb5_count=0 +if test "x$with_mit_krb5" = "xyes"; then + ac_with_krb5_count=`expr $ac_with_krb5_count + 1` +fi +if test "x$with_heimdal_krb5" = "xyes"; then + ac_with_krb5_count=`expr $ac_with_krb5_count + 1` +fi +if test "x$with_gnugss" = "xyes"; then + ac_with_krb5_count=`expr $ac_with_krb5_count + 1` +fi + +if test $ac_with_krb5_count -gt 1 ; then + AC_MSG_ERROR([Please choose only one Kerberos library.]) +elif test $ac_with_krb5_count -eq 0 ; then + # find installed libs via pkg-config or krb5-config + PKG_CHECK_EXISTS(gssapi-krb5 krb5, [with_mit_krb5=yes]) + PKG_CHECK_EXISTS(heimdal-gssapi, [with_heimdal_krb5=yes]) + PKG_CHECK_EXISTS(gss, [with_gnugss=yes]) + if test "x$with_mit_krb5" = "xyes"; then + ac_with_krb5_count=`expr $ac_with_krb5_count + 1` + fi + if test "x$with_heimdal_krb5" = "xyes"; then + ac_with_krb5_count=`expr $ac_with_krb5_count + 1` + fi + if test "x$with_gnugss" = "xyes"; then + ac_with_krb5_count=`expr $ac_with_krb5_count + 1` + fi + if test $ac_with_krb5_count -gt 1 ; then + AC_MSG_ERROR([pkg-config found multiple Kerberos library. Please select one with --with-]) + elif test $ac_with_krb5_count -eq 0 ; then + # Look for krb5-config + AC_PATH_PROG(krb5_config,krb5-config,no) + if test "x$ac_cv_path_krb5_config" != "xno" ; then + krb5confpath="`dirname $ac_cv_path_krb5_config`" + ac_heimdal="`$ac_cv_path_krb5_config --version 2>/dev/null | grep -c -i heimdal`" + ac_solaris="`$ac_cv_path_krb5_config --version 2>/dev/null | grep -c -i solaris`" + if test $ac_heimdal -gt 0 ; then + with_heimdal_krb5=yes + ac_with_krb5_count=1 + fi + if test $ac_solaris -gt 0 ; then + with_solaris_krb5=yes + ac_with_krb5_count=1 + fi + if test $ac_heimdal -eq 0 && test $ac_solaris -eq 0 ; then + with_mit_krb5=yes + ac_with_krb5_count=1 + fi + else + AC_MSG_ERROR([Could not find krb5-config in path]) + fi + fi +fi + +if test "x$with_mit_krb5" = "xyes"; then + SQUID_STATE_SAVE([squid_krb5_save]) + LIBS="$LIBS $LIB_KRB5_PATH" + + # auto-detect using pkg-config + PKG_CHECK_MODULES([LIB_KRB5],[gssapi-krb5 krb5],,[ + # look for krb5-config + if test "x$krb5confpath" = "x" ; then + AC_PATH_PROG(krb5_config,krb5-config,no) + if test "x$ac_cv_path_krb5_config" != "xno" ; then + ac_krb5_config="$ac_cv_path_krb5_config" + fi + else + ac_krb5_config="$krb5confpath/krb5-config" + fi + if test "x$ac_krb5_config" != "x" && test -x "$ac_krb5_config"; then + # Get libs, etc + AC_MSG_NOTICE([Use krb5-config to get CXXFLAGS and LIBS]) + LIB_KRB5_CFLAGS="`$ac_krb5_config --cflags krb5 2>/dev/null`" + LIB_KRB5_LIBS="`$ac_krb5_config --libs krb5 2>/dev/null`" + LIB_KRB5_CFLAGS="`$ac_krb5_config --cflags gssapi 2>/dev/null` $LIB_KRB5_CFLAGS" + LIB_KRB5_LIBS="`$ac_krb5_config --libs gssapi 2>/dev/null` $LIB_KRB5_LIBS" + else + ## For some OS pkg-config is broken or unavailable. + ## Detect libraries the hard way. + + AC_MSG_NOTICE([Try to find Kerberos libraries in given path]) + AC_CHECK_LIB(com_err, [main], [LIB_KRB5_LIBS="-lcom_err $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'com_err' is required for MIT Kerberos]) + ]) + AC_CHECK_LIB(k5crypto, [main], [LIB_KRB5_LIBS="-lk5crypto $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'k5crypto' is required for MIT Kerberos]) + ]) + AC_CHECK_LIB(krb5, [main], [LIB_KRB5_LIBS="-lkrb5 $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'krb5' is required for MIT Kerberos]) + ]) + AC_CHECK_LIB(gssapi_krb5, [main], [LIB_KRB5_LIBS="-lgssapi_krb5 $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'gssapi_krb5' is required for MIT Kerberos]) + ]) + fi + + ]) + + if test "x$LIB_KRB5_LIBS" != "x"; then + KRB5LIBS="$LIB_KRB5_PATH $LIB_KRB5_LIBS $KRB5LIBS" + KRB5INCS="$LIB_KRB5_CFLAGS" + AC_DEFINE(USE_MIT_KRB5,1,[MIT Kerberos support is available]) + KRB5_FLAVOUR="MIT" + + # check for other specific broken implementations + CXXFLAGS="$CXXFLAGS $KRB5INCS" + LIBS="$LIBS $KRB5LIBS" + + AC_MSG_NOTICE([Try to find Kerberos headers in given path]) + AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h gssapi/gssapi_krb5.h) + AC_CHECK_HEADERS(gssapi/gssapi_generic.h) + AC_CHECK_HEADERS(krb5.h com_err.h et/com_err.h) + AC_CHECK_HEADERS(profile.h) + + if test `echo $KRB5LIBS | grep -c com_err` -ne 0 -a "x$ac_com_error_message" = "xyes" ; then + AC_CHECK_LIB(com_err,error_message, + AC_DEFINE(HAVE_ERROR_MESSAGE,1, + [Define to 1 if you have error_message]),) + elif test "x$ac_com_error_message" = "xyes" ; then + AC_CHECK_LIB(krb5,error_message, + AC_DEFINE(HAVE_ERROR_MESSAGE,1, + [Define to 1 if you have error_message]),) + fi + + SQUID_CHECK_KRB5_FUNCS + + fi + if test "x$KRB5LIBS" = "x"; then + AC_MSG_ERROR([Required Kerberos library not found]) + ac_with_krb5_count=0 + fi + + SQUID_STATE_ROLLBACK([squid_krb5_save]) +fi + +if test "x$with_solaris_krb5" = "xyes"; then + SQUID_STATE_SAVE([squid_krb5_save]) + LIBS="$LIBS $LIB_KRB5_PATH" + + # no pkg-config for solaris native Kerberos + # look for krb5-config + if test "x$krb5confpath" = "x" ; then + AC_PATH_PROG(krb5_config,krb5-config,no) + if test "x$ac_cv_path_krb5_config" != "xno" ; then + ac_krb5_config="$ac_cv_path_krb5_config" + fi + else + ac_krb5_config="$krb5confpath/krb5-config" + fi + if test "x$ac_krb5_config" != "x" && test -x "$ac_krb5_config"; then + # Get libs, etc + AC_MSG_NOTICE([Use krb5-config to get CXXFLAGS and LIBS]) + LIB_KRB5_CFLAGS="`$ac_krb5_config --cflags krb5 2>/dev/null`" + LIB_KRB5_LIBS="`$ac_krb5_config --libs krb5 2>/dev/null`" + LIB_KRB5_CFLAGS="`$ac_krb5_config --cflags gssapi 2>/dev/null` $LIB_KRB5_CFLAGS" + LIB_KRB5_LIBS="`$ac_krb5_config --libs gssapi 2>/dev/null` $LIB_KRB5_LIBS" + else + ## For some OS pkg-config is broken or unavailable. + ## Detect libraries the hard way. + + CXXFLAGS="-I/usr/include/kerberosv5 $CXXFLAGS" + + AC_MSG_NOTICE([Try to find Kerberos libraries in given path]) + AC_CHECK_LIB(krb5, [main], [LIB_KRB5_LIBS="-lkrb5 $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'krb5' is required for Solaris Kerberos]) + ]) + AC_CHECK_LIB(gss, [main], [LIB_KRB5_LIBS="-lgss $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'gss' is required for Solaris Kerberos]) + ]) + fi + + if test "x$LIB_KRB5_LIBS" != "x"; then + KRB5LIBS="$LIB_KRB5_PATH $LIB_KRB5_LIBS $KRB5LIBS" + KRB5INCS="$LIB_KRB5_CFLAGS" + AC_DEFINE(USE_SOLARIS_KRB5,1,[Solaris Kerberos support is available]) + KRB5_FLAVOUR="Solaris" + + # check for other specific broken implementations + CXXFLAGS="$CXXFLAGS $KRB5INCS" + LIBS="$LIBS $KRB5LIBS" + + AC_MSG_NOTICE([Try to find Kerberos headers in given path]) + AC_CHECK_HEADERS(gssapi/gssapi.h gssapi/gssapi_ext.h) + AC_CHECK_HEADERS(krb5.h com_err.h) + + SQUID_CHECK_KRB5_SOLARIS_BROKEN_KRB5_H + if test "x$squid_cv_broken_krb5_h" = "xyes"; then + AC_DEFINE(HAVE_BROKEN_SOLARIS_KRB5_H, 1, [Define to 1 if Solaris krb5.h is broken for C++]) + AC_MSG_WARN([You have a broken Solaris system include.]) + AC_MSG_WARN([Please see http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6837512]) + AC_MSG_WARN([If you need Kerberos support you will have to patch]) + AC_MSG_WARN([your system. See contrib/solaris/solaris-krb5-include.patch]) + fi + + SQUID_CHECK_KRB5_FUNCS + + fi + if test "x$KRB5LIBS" = "x"; then + AC_MSG_ERROR([Required Kerberos library not found]) + ac_with_krb5_count=0 + fi + + SQUID_STATE_ROLLBACK([squid_krb5_save]) +fi + +if test "x$with_heimdal_krb5" = "xyes"; then + SQUID_STATE_SAVE([squid_krb5_save]) + LIBS="$LIBS $LIB_KRB5_PATH" + + # auto-detect using pkg-config + PKG_CHECK_MODULES([LIB_KRB5],[heimdal-gssapi],,[ + # look for krb5-config + if test "x$krb5confpath" = "x" ; then + AC_PATH_PROG(krb5_config,krb5-config,no) + if test "x$ac_cv_path_krb5_config" != "xno" ; then + ac_krb5_config="$ac_cv_path_krb5_config" + fi + else + ac_krb5_config="$krb5confpath/krb5-config" + fi + if test "x$ac_krb5_config" != "x" && test -x "$ac_krb5_config"; then + # Get libs, etc + AC_MSG_NOTICE([Use krb5-config to get CXXFLAGS and LIBS]) + LIB_KRB5_CFLAGS="`$ac_krb5_config --cflags krb5 2>/dev/null`" + LIB_KRB5_LIBS="`$ac_krb5_config --libs krb5 2>/dev/null`" + LIB_KRB5_CFLAGS="`$ac_krb5_config --cflags gssapi 2>/dev/null` $LIB_KRB5_CFLAGS" + LIB_KRB5_LIBS="`$ac_krb5_config --libs gssapi 2>/dev/null` $LIB_KRB5_LIBS" + else + ## For some OS pkg-config is broken or unavailable. + ## Detect libraries the hard way. + + AC_MSG_NOTICE([Try to find Kerberos libraries in given path]) + AC_CHECK_LIB(resolv, [main], [LIB_KRB5_LIBS="-lresolv $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'resolv' is required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(crypt, [main], [LIB_KRB5_LIBS="-lcrypt $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'crypt' is required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(roken, [main], [LIB_KRB5_LIBS="-lroken $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'roken' is required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(heimbase, [main], [LIB_KRB5_LIBS="-lheimbase $LIB_KRB5_LIBS"],[ + AC_MSG_WARN([library 'heimbase' may be required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(wind, [main], [LIB_KRB5_LIBS="-lwind $LIB_KRB5_LIBS"],[ + AC_MSG_WARN([library 'wind' may be required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(crypto, [main], [LIB_KRB5_LIBS="-lcrypto $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'crypto' is required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(com_err, [main], [LIB_KRB5_LIBS="-lcom_err $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'com_err' is required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(hx509, [main], [LIB_KRB5_LIBS="-lhx509 $LIB_KRB5_LIBS"],[ + AC_MSG_WARN([library 'hx509' may be required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(asn1, [main], [LIB_KRB5_LIBS="-lasn1 $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'asn1' is required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(krb5, [main], [LIB_KRB5_LIBS="-lkrb5 $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'krb5' is required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(heimntlm, [main], [LIB_KRB5_LIBS="-lheimntlm $LIB_KRB5_LIBS"],[ + AC_MSG_WARN([library 'heimntlm' may be required for Heimdal Kerberos]) + ]) + AC_CHECK_LIB(gssapi, [main], [LIB_KRB5_LIBS="-lgssapi $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'gssapi' is required for Heimdal Kerberos]) + ]) + fi + + ]) + if test "x$LIB_KRB5_LIBS" != "x"; then + KRB5LIBS="$LIB_KRB5_PATH $LIB_KRB5_LIBS $KRB5LIBS" + KRB5INCS="$LIB_KRB5_CFLAGS" + AC_DEFINE(USE_HEIMDAL_KRB5,1,[Heimdal Kerberos support is available]) + KRB5_FLAVOUR="Heimdal" + + # check for other specific broken implementations + CXXFLAGS="$CXXFLAGS $KRB5INCS" + LIBS="$LIBS $KRB5LIBS" + + AC_MSG_NOTICE([Try to find Kerberos headers in given path]) + AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h gssapi/gssapi_krb5.h) + AC_CHECK_HEADERS(krb5.h com_err.h et/com_err.h) + + SQUID_CHECK_KRB5_HEIMDAL_BROKEN_KRB5_H + if test "x$squid_cv_broken_heimdal_krb5_h" = "xyes"; then + AC_DEFINE(HAVE_BROKEN_HEIMDAL_KRB5_H, 1, [Define to 1 if Heimdal krb5.h is broken for C++]) + fi + + if test `echo $KRB5LIBS | grep -c com_err` -ne 0 -a "x$ac_com_error_message" = "xyes" ; then + AC_CHECK_LIB(com_err,error_message, + AC_DEFINE(HAVE_ERROR_MESSAGE,1, + [Define to 1 if you have error_message]),) + elif test "x$ac_com_error_message" = "xyes" ; then + AC_CHECK_LIB(krb5,error_message, + AC_DEFINE(HAVE_ERROR_MESSAGE,1, + [Define to 1 if you have error_message]),) + fi + + SQUID_CHECK_KRB5_FUNCS + + fi + if test "x$KRB5LIBS" = "x"; then + AC_MSG_ERROR([Required Kerberos library not found]) + ac_with_krb5_count=0 + fi + + SQUID_STATE_ROLLBACK([squid_krb5_save]) +fi + +if test "x$with_gnugss" = "xyes"; then + SQUID_STATE_SAVE([squid_krb5_save]) + LIBS="$LIBS $LIB_KRB5_PATH" + + # auto-detect using pkg-config + PKG_CHECK_MODULES([LIB_KRB5],[gss],,[ + ## For some OS pkg-config is broken or unavailable. + ## Detect libraries the hard way. + + AC_MSG_NOTICE([Try to find Kerberos libraries in given path]) + AC_CHECK_LIB(gss, [main], [LIB_KRB5_LIBS="-lgss $LIB_KRB5_LIBS"],[ + AC_MSG_ERROR([library 'com_err' is required for GNU Kerberos]) + ]) + + ]) + + if test "x$LIB_KRB5_LIBS" != "x"; then + KRB5LIBS="$LIB_KRB5_PATH $LIB_KRB5_LIBS $KRB5LIBS" + KRB5INCS="$LIB_KRB5_CFLAGS" + AC_DEFINE(USE_GNUGSS,1,[GNU Kerberos support is available]) + KRB5_FLAVOUR="GNU GSS" + + # check for other specific broken implementations + CXXFLAGS="$CXXFLAGS $KRB5INCS" + LIBS="$LIBS $KRB5LIBS" + + AC_MSG_NOTICE([Try to find Kerbeors headers in given path]) + AC_CHECK_HEADERS(gss.h) + + SQUID_CHECK_WORKING_GSSAPI + SQUID_DEFINE_BOOL(HAVE_GSSAPI,$squid_cv_working_gssapi,[GSSAPI support]) + + SQUID_CHECK_SPNEGO_SUPPORT + SQUID_DEFINE_BOOL(HAVE_SPNEGO,$squid_cv_have_spnego,[SPNEGO support]) + + SQUID_CHECK_WORKING_KRB5 + SQUID_DEFINE_BOOL(HAVE_KRB5,$squid_cv_working_krb5,[KRB5 support]) + + fi + if test "x$KRB5LIBS" = "x"; then + AC_MSG_ERROR([Required Kerberos library not found]) + ac_with_krb5_count=0 + fi + + SQUID_STATE_ROLLBACK([squid_krb5_save]) +fi +if test $ac_with_krb5_count -gt 0 ; then + with_krb5=yes +fi +AC_MSG_NOTICE([$KRB5_FLAVOUR Kerberos library support: ${with_krb5:=no} ${LIB_KRB5_PATH} ${LIB_KRB5_LIBS}]) +AC_SUBST(KRB5INCS) +AC_SUBST(KRB5LIBS) +AM_CONDITIONAL(HAVE_SPNEGO, test x"$squid_cv_have_spnego" = x"yes" ) + +dnl On MinGW OpenLDAP is not available, so LDAP helpers can be linked +dnl only with Windows LDAP libraries using -lwldap32 +case "$squid_host_os" in + mingw) + LDAPLIB="-lwldap32" + LBERLIB="" + ;; + *) + AC_CHECK_LIB(ldap, ldap_init, [LDAPLIB="-lldap"]) + dnl LDAP helpers need to know if -llber is needed or not + AC_CHECK_LIB(lber, ber_init, [LBERLIB="-llber"]) + dnl if no ldap lib found check for mozilla version + if test "x$ac_cv_lib_ldap_ldap_init" != x""yes; then + oLIBS=$LIBS + LIBS="$LIBPTHREADS" + AC_CHECK_LIB(ldap60, ldap_init, [LDAPLIB="-lldap60"]) + LIBS="$LDAPLIB $LIBPTHREADS" + AC_CHECK_LIB(prldap60, prldap_init, [LDAPLIB="-lprldap60 $LDAPLIB"]) + LIBS="$LDAPLIB $LIBPTHREADS" + AC_CHECK_LIB(ssldap60, ldapssl_init, [LDAPLIB="-lssldap60 $LDAPLIB"]) + LIBS=$oLIBS + fi + + AC_CHECK_HEADERS(ldap.h lber.h) + AC_CHECK_HEADERS(mozldap/ldap.h) + + dnl + dnl Check for LDAP_OPT_DEBUG_LEVEL + dnl + AC_MSG_CHECKING([for LDAP_OPT_DEBUG_LEVEL]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +# include + ]],[[ + int i=LDAP_OPT_DEBUG_LEVEL + ]])], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + dnl + dnl Check for working ldap + dnl + oLIBS=$LIBS + LIBS="$LDAPLIB $LBERLIB $LIBPTHREADS" + AC_MSG_CHECKING([for working ldap]) + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +# define LDAP_DEPRECATED 1 +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif + int + main(void) + { + char host[]=""; + int port; + + ldap_init((const char *)&host, port); + + return 0; + } + ]])], + [ AC_DEFINE(HAVE_LDAP, 1, [LDAP support]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ], + [ AC_MSG_RESULT(cross-compiler cant tell) ]) + LIBS=$oLIBS + + dnl + dnl Check for ldap vendor + dnl + AC_MSG_CHECKING([for OpenLDAP]) + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +# if HAVE_LDAP_H +# include +# endif +# include + int + main(void) + { + return strcmp(LDAP_VENDOR_NAME,"OpenLDAP"); + } + ]])], + [ AC_DEFINE(HAVE_OPENLDAP, 1, [OpenLDAP support]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ], + [ AC_MSG_RESULT(cross-compiler cant tell) ]) + + AC_MSG_CHECKING([for Sun LDAP SDK]) + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +# if HAVE_LDAP_H +# include +# endif +# include + int + main(void) + { + return strcmp(LDAP_VENDOR_NAME,"Sun Microsystems Inc."); + } + ]])], + [ AC_DEFINE(HAVE_SUN_LDAP_SDK, 1, [Sun LDAP SDK support]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ], + [ AC_MSG_RESULT(cross-compiler cant tell) ]) + + AC_MSG_CHECKING([for Mozilla LDAP SDK]) + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif +# include + int + main(void) + { + return strcmp(LDAP_VENDOR_NAME,"mozilla.org"); + } + ]])], + [ AC_DEFINE(HAVE_MOZILLA_LDAP_SDK, 1, [Mozilla LDAP SDK support]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no)], + [ AC_MSG_RESULT(cross-compiler cant tell) ]) + + dnl + dnl Check for LDAP_REBINDPROC_CALLBACK + dnl + AC_MSG_CHECKING([for LDAP_REBINDPROC_CALLBACK]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif + ]],[[ + LDAP_REBINDPROC_CALLBACK ldap_rebind; + ]])], + [ AC_DEFINE(HAVE_LDAP_REBINDPROC_CALLBACK,1,[Define to 1 if you have LDAP_REBINDPROC_CALLBACK]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + dnl + dnl Check for LDAP_REBIND_PROC + dnl + AC_MSG_CHECKING([for LDAP_REBIND_PROC]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif + ]],[[ + LDAP_REBIND_PROC ldap_rebind; + ]])], + [ AC_DEFINE(HAVE_LDAP_REBIND_PROC,1,[Define to 1 if you have LDAP_REBIND_PROC]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + dnl + dnl Check for LDAP_REBIND_FUNCTION + dnl + AC_MSG_CHECKING([for LDAP_REBIND_FUNCTION]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +# define LDAP_REFERRALS +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif + ]],[[ + LDAP_REBIND_FUNCTION ldap_rebind; + ]])], + [ AC_DEFINE(HAVE_LDAP_REBIND_FUNCTION,1,[Define to 1 if you have LDAP_REBIND_FUNCTION]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + dnl + dnl Check for LDAP_SCOPE_DEFAULT + dnl + AC_MSG_CHECKING([for LDAP_SCOPE_DEFAULT]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +# if HAVE_LDAP_H +# include +# elif HAVE_MOZLDAP_LDAP_H +# include +# endif + ]],[[ + int i=LDAP_SCOPE_DEFAULT; + ]])], + [ AC_DEFINE(HAVE_LDAP_SCOPE_DEFAULT,1,[Define to 1 if you have LDAP_SCOPE_DEFAULT]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ]) + + dnl + dnl Check for ldap_url_desc.lud_scheme + dnl + AC_CHECK_MEMBER(struct ldap_url_desc.lud_scheme, + AC_DEFINE(HAVE_LDAP_URL_LUD_SCHEME,1, + [Define to 1 if you have LDAPURLDesc.lud_scheme]),,[#include ]) + + dnl + dnl Check for ldapssl_client_init + dnl + AC_CHECK_LIB(ldap,ldapssl_client_init, + AC_DEFINE(HAVE_LDAPSSL_CLIENT_INIT,1,[Define to 1 if you have ldapssl_client_init]),) + + dnl + dnl Check for ldap_url_desc2str + dnl + AC_CHECK_LIB(ldap,ldap_url_desc2str, + AC_DEFINE(HAVE_LDAP_URL_DESC2STR,1,[Define to 1 if you have ldap_url_desc2str]),) + + dnl + dnl Check for ldap_url_parse + dnl + AC_CHECK_LIB(ldap,ldap_url_parse, + AC_DEFINE(HAVE_LDAP_URL_PARSE,1,[Define to 1 if you have ldap_url_parse]),) + + dnl + dnl Check for ldap_start_tls_s + dnl + AC_CHECK_LIB(ldap,ldap_start_tls_s, + AC_DEFINE(HAVE_LDAP_START_TLS_S,1,[Define to 1 if you have ldap_start_tls_s]),) + ;; +esac + +AC_SUBST(LDAPLIB) +AC_SUBST(LBERLIB) + AC_ARG_ENABLE(forw-via-db, AS_HELP_STRING([--enable-forw-via-db],[Enable Forw/Via database]), [ SQUID_YESNO([$enableval],[unrecognized argument to --enable-forw-via-db: $enableval]) @@ -1840,172 +2518,6 @@ ]) m4_include([helpers/log_daemon/modules.m4]) -dnl -dnl Check Kerberos/GSSAPI/SPNEGO -dnl -SQUID_STATE_SAVE([krbsave]) - -AC_ARG_WITH(krb5-config, - AS_HELP_STRING([--with-krb5-config=PATH], - [specify path to krb5-config (default=detect)]), [ -case "$withval" in - yes) unset krb5confpath ;; - no) krb5confpath=no ;; - *) krb5confpath=$withval ;; -esac -]) -if test x"$krb5confpath" != "xno"; then - if test "x$krb5confpath" != "x"; then - if ! test -x "$krb5confpath"; then - AC_MSG_WARN([krb5-config '$krb5confpath' not executable, ignoring]) - AC_CHECK_PROG(ac_krb5_config, krb5-config, yes, no) - krb5confpath=krb5-config - fi - krb5_config_path=`dirname $krb5confpath` - AC_CHECK_PROG(ac_krb5_config, krb5-config, yes, no, $krb5_config_path) - else - AC_CHECK_PROG(ac_krb5_config,krb5-config,yes,no) - krb5confpath=krb5-config - fi -fi -if test "x$ac_krb5_config" = "xyes" ; then - ac_heimdal="`$krb5confpath --version 2>/dev/null | grep -i heimdal`" - ac_solaris="`$krb5confpath --version 2>/dev/null | grep -i solaris`" - if test "x$ac_heimdal" != "x" ; then - AC_DEFINE(HAVE_HEIMDAL_KERBEROS,1,[Define to 1 if you have Heimdal Kerberos]) - else - AC_DEFINE(HAVE_MIT_KERBEROS,1,[Define to 1 if you have MIT Kerberos]) - fi - if test "x$ac_solaris" != "x" ; then - KRB5INCS="`$krb5confpath --cflags krb5 2>/dev/null`" - KRB5LIBS="`$krb5confpath --libs krb5 2>/dev/null`" - KRB5INCS="-I/usr/include/gssapi $KRB5INCS" - KRB5LIBS="-L/usr/lib -R/usr/lib -lgss -lresolv -lsocket -lnsl $KRB5LIBS" - else - KRB5INCS="`$krb5confpath --cflags krb5 2>/dev/null`" - KRB5LIBS="`$krb5confpath --libs krb5 2>/dev/null`" - KRB5INCS="`$krb5confpath --cflags gssapi 2>/dev/null` $KRB5INCS" - KRB5LIBS="`$krb5confpath --libs gssapi 2>/dev/null` $KRB5LIBS" - fi - CPPFLAGS="$CPPFLAGS $KRB5INCS" - LIBS="$LIBS $KRB5LIBS" - AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h gssapi/gssapi_krb5.h) - if test "x$ac_heimdal" = "x" ; then - AC_CHECK_HEADERS(gssapi/gssapi_generic.h) - AC_CHECK_HEADERS(profile.h) - fi - - SQUID_CHECK_KRB5_SOLARIS_BROKEN_KRB5_H - if test "x$squid_cv_broken_krb5_h" = "xyes"; then - AC_DEFINE(HAVE_BROKEN_SOLARIS_KRB5_H, 1, [Define to 1 if Solaris krb5.h is broken for C++]) - AC_MSG_WARN([You have a broken Solaris system include.]) - AC_MSG_WARN([Please see http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6837512]) - AC_MSG_WARN([If you need Kerberos support you'll have to patch]) - AC_MSG_WARN([your system. See contrib/solaris/solaris-krb5-include.patch]) - fi - SQUID_CHECK_KRB5_HEIMDAL_BROKEN_KRB5_H - if test "x$squid_cv_broken_heimdal_krb5_h" = "xyes"; then - AC_DEFINE(HAVE_BROKEN_HEIMDAL_KRB5_H, 1, [Define to 1 if Heimdal krb5.h is broken for C++]) - fi - AC_CHECK_HEADERS(krb5.h com_err.h et/com_err.h) - - ac_com_error_message=no - if test "x$ac_cv_header_com_err_h" = "xyes" ; then - AC_EGREP_HEADER(error_message,com_err.h,ac_com_error_message=yes) - elif test "x$ac_cv_header_et_com_err_h" = "xyes" ; then - AC_EGREP_HEADER(error_message,et/com_err.h,ac_com_error_message=yes) - fi - - SQUID_CHECK_MAX_SKEW_IN_KRB5_CONTEXT - if test "x$squid_cv_max_skew_context" = "xyes"; then - AC_DEFINE(HAVE_MAX_SKEW_IN_KRB5_CONTEXT, 1, [Define to 1 if max_skew in struct krb5_context]) - fi - - if test `echo $KRB5LIBS | grep -c com_err` -ne 0 -a "x$ac_com_error_message" = "xyes" ; then - AC_CHECK_LIB(com_err,error_message, - AC_DEFINE(HAVE_ERROR_MESSAGE,1, - [Define to 1 if you have error_message]),) - elif test "x$ac_com_error_message" = "xyes" ; then - AC_CHECK_LIB(krb5,error_message, - AC_DEFINE(HAVE_ERROR_MESSAGE,1, - [Define to 1 if you have error_message]),) - fi - AC_CHECK_LIB(krb5,krb5_get_err_text, - AC_DEFINE(HAVE_KRB5_GET_ERR_TEXT,1, - [Define to 1 if you have krb5_get_err_text]),) - AC_CHECK_LIB(krb5,krb5_get_error_message, - AC_DEFINE(HAVE_KRB5_GET_ERROR_MESSAGE,1, - [Define to 1 if you have krb5_get_error_message]),) - AC_CHECK_DECLS(krb5_kt_free_entry,,,[#include ]) - AC_CHECK_TYPE(krb5_pac, - AC_DEFINE(HAVE_KRB5_PAC,1, - [Define to 1 if you have krb5_pac]),, - [#include ]) - AC_CHECK_LIB(krb5,krb5_kt_free_entry, - AC_DEFINE(HAVE_KRB5_KT_FREE_ENTRY,1, - [Define to 1 if you have krb5_kt_free_entry]),) - AC_CHECK_LIB(krb5,krb5_get_init_creds_keytab, - AC_DEFINE(HAVE_GET_INIT_CREDS_KEYTAB,1, - [Define to 1 if you have krb5_get_init_creds_keytab]),) - AC_CHECK_LIB(krb5,krb5_get_max_time_skew, - AC_DEFINE(HAVE_KRB5_GET_MAX_TIME_SKEW,1, - [Define to 1 if you have krb5_get_max_time_skew]),) - AC_CHECK_LIB(krb5,krb5_get_profile, - AC_DEFINE(HAVE_KRB5_GET_PROFILE,1, - [Define to 1 if you have krb5_get_profile]),) - AC_CHECK_LIB(krb5,profile_get_integer, - AC_DEFINE(HAVE_PROFILE_GET_INTEGER,1, - [Define to 1 if you have profile_get_integer]),) - AC_CHECK_LIB(krb5,profile_release, - AC_DEFINE(HAVE_PROFILE_RELEASE,1, - [Define to 1 if you have profile_release]),) - AC_CHECK_LIB(krb5,krb5_get_renewed_creds, - AC_DEFINE(HAVE_KRB5_GET_RENEWED_CREDS,1, - [Define to 1 if you have krb5_get_renewed_creds]),) - AC_CHECK_LIB(krb5,krb5_principal_get_realm, - AC_DEFINE(HAVE_KRB5_PRINCIPAL_GET_REALM,1, - [Define to 1 if you have krb5_principal_get_realm]),) - AC_CHECK_LIB(krb5, krb5_get_init_creds_opt_alloc, - AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC,1, - [Define to 1 if you have krb5_get_init_creds_opt_alloc]),) - AC_MSG_CHECKING([for krb5_get_init_creds_free requires krb5_context]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ - #include - ]],[[krb5_context context; - krb5_get_init_creds_opt *options; - krb5_get_init_creds_opt_free(context, options)]])],[ - AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_FREE_CONTEXT,1, - [Define to 1 if you krb5_get_init_creds_free requires krb5_context]) - AC_MSG_RESULT(yes) - ],[AC_MSG_RESULT(no)],[AC_MSG_RESULT(no)]) - - - AC_CHECK_FUNCS(gss_map_name_to_any, - AC_DEFINE(HAVE_GSS_MAP_ANY_TO_ANY,1, - [Define to 1 if you have gss_map_name_to_any]),) - AC_CHECK_FUNCS(gsskrb5_extract_authz_data_from_sec_context, - AC_DEFINE(HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT,1, - [Define to 1 if you have gsskrb5_extract_authz_data_from_sec_context]),) - - SQUID_CHECK_KRB5_CONTEXT_MEMORY_CACHE - SQUID_DEFINE_BOOL(HAVE_KRB5_MEMORY_CACHE,$squid_cv_memory_cache, - [Define if kerberos has MEMORY: cache support]) - - SQUID_CHECK_WORKING_GSSAPI - SQUID_DEFINE_BOOL(HAVE_GSSAPI,$squid_cv_working_gssapi,[GSSAPI support]) - - SQUID_CHECK_SPNEGO_SUPPORT - SQUID_DEFINE_BOOL(HAVE_SPNEGO,$squid_cv_have_spnego,[SPNEGO support]) - - SQUID_CHECK_WORKING_KRB5 - SQUID_DEFINE_BOOL(HAVE_KRB5,$squid_cv_working_krb5,[KRB5 support]) - - AC_SUBST(KRB5INCS) - AC_SUBST(KRB5LIBS) -fi -SQUID_STATE_ROLLBACK([krbsave]) -AM_CONDITIONAL(HAVE_SPNEGO, test x"$squid_cv_have_spnego" = x"yes" ) - AC_ARG_ENABLE(external-acl-helpers, AS_HELP_STRING([--enable-external-acl-helpers="list of helpers"], [Enable external_acl helpers support and thelpers themselves. @@ -2634,235 +3146,6 @@ ;; esac -dnl On MinGW OpenLDAP is not available, so LDAP helpers can be linked -dnl only with Windows LDAP libraries using -lwldap32 -case "$squid_host_os" in - mingw) - LDAPLIB="-lwldap32" - LBERLIB="" - ;; - *) - AC_CHECK_LIB(ldap, ldap_init, [LDAPLIB="-lldap"]) - dnl LDAP helpers need to know if -llber is needed or not - AC_CHECK_LIB(lber, ber_init, [LBERLIB="-llber"]) - dnl if no ldap lib found check for mozilla version - if test "x$ac_cv_lib_ldap_ldap_init" != x""yes; then - oLIBS=$LIBS - LIBS="$LIBPTHREADS" - AC_CHECK_LIB(ldap60, ldap_init, [LDAPLIB="-lldap60"]) - LIBS="$LDAPLIB $LIBPTHREADS" - AC_CHECK_LIB(prldap60, prldap_init, [LDAPLIB="-lprldap60 $LDAPLIB"]) - LIBS="$LDAPLIB $LIBPTHREADS" - AC_CHECK_LIB(ssldap60, ldapssl_init, [LDAPLIB="-lssldap60 $LDAPLIB"]) - LIBS=$oLIBS - fi - - AC_CHECK_HEADERS(ldap.h lber.h) - AC_CHECK_HEADERS(mozldap/ldap.h) - - dnl - dnl Check for LDAP_OPT_DEBUG_LEVEL - dnl - AC_MSG_CHECKING([for LDAP_OPT_DEBUG_LEVEL]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ -# include - ]],[[ - int i=LDAP_OPT_DEBUG_LEVEL - ]])], - [ AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) ]) - - dnl - dnl Check for working ldap - dnl - oLIBS=$LIBS - LIBS="$LDAPLIB $LBERLIB $LIBPTHREADS" - AC_MSG_CHECKING([for working ldap]) - AC_RUN_IFELSE([AC_LANG_SOURCE([[ -# define LDAP_DEPRECATED 1 -# if HAVE_LDAP_H -# include -# elif HAVE_MOZLDAP_LDAP_H -# include -# endif - int - main(void) - { - char host[]=""; - int port; - - ldap_init((const char *)&host, port); - - return 0; - } - ]])], - [ AC_DEFINE(HAVE_LDAP, 1, [LDAP support]) - AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) ], - [ AC_MSG_RESULT(cross-compiler cant tell) ]) - LIBS=$oLIBS - - dnl - dnl Check for ldap vendor - dnl - AC_MSG_CHECKING([for OpenLDAP]) - AC_RUN_IFELSE([AC_LANG_SOURCE([[ -# if HAVE_LDAP_H -# include -# endif -# include - int - main(void) - { - return strcmp(LDAP_VENDOR_NAME,"OpenLDAP"); - } - ]])], - [ AC_DEFINE(HAVE_OPENLDAP, 1, [OpenLDAP support]) - AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) ], - [ AC_MSG_RESULT(cross-compiler cant tell) ]) - - AC_MSG_CHECKING([for Sun LDAP SDK]) - AC_RUN_IFELSE([AC_LANG_SOURCE([[ -# if HAVE_LDAP_H -# include -# endif -# include - int - main(void) - { - return strcmp(LDAP_VENDOR_NAME,"Sun Microsystems Inc."); - } - ]])], - [ AC_DEFINE(HAVE_SUN_LDAP_SDK, 1, [Sun LDAP SDK support]) - AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) ], - [ AC_MSG_RESULT(cross-compiler cant tell) ]) - - AC_MSG_CHECKING([for Mozilla LDAP SDK]) - AC_RUN_IFELSE([AC_LANG_SOURCE([[ -# if HAVE_LDAP_H -# include -# elif HAVE_MOZLDAP_LDAP_H -# include -# endif -# include - int - main(void) - { - return strcmp(LDAP_VENDOR_NAME,"mozilla.org"); - } - ]])], - [ AC_DEFINE(HAVE_MOZILLA_LDAP_SDK, 1, [Mozilla LDAP SDK support]) - AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no)], - [ AC_MSG_RESULT(cross-compiler cant tell) ]) - - dnl - dnl Check for LDAP_REBINDPROC_CALLBACK - dnl - AC_MSG_CHECKING([for LDAP_REBINDPROC_CALLBACK]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ -# if HAVE_LDAP_H -# include -# elif HAVE_MOZLDAP_LDAP_H -# include -# endif - ]],[[ - LDAP_REBINDPROC_CALLBACK ldap_rebind; - ]])], - [ AC_DEFINE(HAVE_LDAP_REBINDPROC_CALLBACK,1,[Define to 1 if you have LDAP_REBINDPROC_CALLBACK]) - AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) ]) - - dnl - dnl Check for LDAP_REBIND_PROC - dnl - AC_MSG_CHECKING([for LDAP_REBIND_PROC]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ -# if HAVE_LDAP_H -# include -# elif HAVE_MOZLDAP_LDAP_H -# include -# endif - ]],[[ - LDAP_REBIND_PROC ldap_rebind; - ]])], - [ AC_DEFINE(HAVE_LDAP_REBIND_PROC,1,[Define to 1 if you have LDAP_REBIND_PROC]) - AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) ]) - - dnl - dnl Check for LDAP_REBIND_FUNCTION - dnl - AC_MSG_CHECKING([for LDAP_REBIND_FUNCTION]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ -# define LDAP_REFERRALS -# if HAVE_LDAP_H -# include -# elif HAVE_MOZLDAP_LDAP_H -# include -# endif - ]],[[ - LDAP_REBIND_FUNCTION ldap_rebind; - ]])], - [ AC_DEFINE(HAVE_LDAP_REBIND_FUNCTION,1,[Define to 1 if you have LDAP_REBIND_FUNCTION]) - AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) ]) - - dnl - dnl Check for LDAP_SCOPE_DEFAULT - dnl - AC_MSG_CHECKING([for LDAP_SCOPE_DEFAULT]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ -# if HAVE_LDAP_H -# include -# elif HAVE_MOZLDAP_LDAP_H -# include -# endif - ]],[[ - int i=LDAP_SCOPE_DEFAULT; - ]])], - [ AC_DEFINE(HAVE_LDAP_SCOPE_DEFAULT,1,[Define to 1 if you have LDAP_SCOPE_DEFAULT]) - AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) ]) - - dnl - dnl Check for ldap_url_desc.lud_scheme - dnl - AC_CHECK_MEMBER(struct ldap_url_desc.lud_scheme, - AC_DEFINE(HAVE_LDAP_URL_LUD_SCHEME,1, - [Define to 1 if you have LDAPURLDesc.lud_scheme]),,[#include ]) - - dnl - dnl Check for ldapssl_client_init - dnl - AC_CHECK_LIB(ldap,ldapssl_client_init, - AC_DEFINE(HAVE_LDAPSSL_CLIENT_INIT,1,[Define to 1 if you have ldapssl_client_init]),) - - dnl - dnl Check for ldap_url_desc2str - dnl - AC_CHECK_LIB(ldap,ldap_url_desc2str, - AC_DEFINE(HAVE_LDAP_URL_DESC2STR,1,[Define to 1 if you have ldap_url_desc2str]),) - - dnl - dnl Check for ldap_url_parse - dnl - AC_CHECK_LIB(ldap,ldap_url_parse, - AC_DEFINE(HAVE_LDAP_URL_PARSE,1,[Define to 1 if you have ldap_url_parse]),) - - dnl - dnl Check for ldap_start_tls_s - dnl - AC_CHECK_LIB(ldap,ldap_start_tls_s, - AC_DEFINE(HAVE_LDAP_START_TLS_S,1,[Define to 1 if you have ldap_start_tls_s]),) - ;; -esac - -AC_SUBST(LDAPLIB) -AC_SUBST(LBERLIB) - dnl Check for libdb dnl this is not fully functional if db.h is for a differend db version DBLIB= diff -ru trunk/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc trunk-mm/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc --- trunk/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc 2014-02-21 15:38:36.783293000 +0000 +++ trunk-mm/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc 2014-08-10 11:32:05.171642710 +0100 @@ -34,7 +34,7 @@ #include "rfc1738.h" #include "util.h" -#ifdef HAVE_LDAP +#if HAVE_LDAP #include "support.h" #include @@ -165,7 +165,6 @@ char *user, *domain, *group; char *up=NULL, *dp=NULL, *np=NULL; char *nuser, *nuser8 = NULL, *netbios; - char *c; int opt; struct main_args margs; @@ -296,6 +295,7 @@ exit(1); } while (1) { + char *c; if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) { if (ferror(stdin)) { debug((char *) "%s| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n", LogTime(), PROGRAM, ferror(stdin), diff -ru trunk/helpers/external_acl/kerberos_ldap_group/required.m4 trunk-mm/helpers/external_acl/kerberos_ldap_group/required.m4 --- trunk/helpers/external_acl/kerberos_ldap_group/required.m4 2013-09-28 00:37:39.207515000 +0100 +++ trunk-mm/helpers/external_acl/kerberos_ldap_group/required.m4 2014-08-10 11:32:05.171642710 +0100 @@ -1,2 +1,4 @@ -AC_CHECK_HEADERS([ldap.h],[BUILD_HELPER="kerberos_ldap_group"]) -SQUID_CHECK_SASL +if test "x$with_krb5" == "xyes"; then + BUILD_HELPER="kerberos_ldap_group" + SQUID_CHECK_SASL +fi diff -ru trunk/helpers/external_acl/kerberos_ldap_group/support_group.cc trunk-mm/helpers/external_acl/kerberos_ldap_group/support_group.cc --- trunk/helpers/external_acl/kerberos_ldap_group/support_group.cc 2013-09-28 00:37:39.207515000 +0100 +++ trunk-mm/helpers/external_acl/kerberos_ldap_group/support_group.cc 2014-08-10 11:32:05.181642709 +0100 @@ -26,7 +26,7 @@ #include "squid.h" #include "util.h" -#ifdef HAVE_LDAP +#if HAVE_LDAP #include "support.h" @@ -61,10 +61,9 @@ utf8dup(struct main_args *margs) { size_t c = 0; - unsigned char s; size_t n; char *src; - unsigned char *p, *dupp; + unsigned char *p; src = margs->glist; if (!src) @@ -73,9 +72,11 @@ if ((unsigned char) src[n] > 127) ++c; if (c != 0) { + unsigned char *dupp; p = (unsigned char *) xmalloc(strlen(src) + c); dupp = p; for (n = 0; n < strlen(src); ++n) { + unsigned char s; s = (unsigned char) src[n]; if (s > 127 && s < 192) { *p = 194; diff -ru trunk/helpers/external_acl/kerberos_ldap_group/support.h trunk-mm/helpers/external_acl/kerberos_ldap_group/support.h --- trunk/helpers/external_acl/kerberos_ldap_group/support.h 2014-02-21 15:38:36.783293000 +0000 +++ trunk-mm/helpers/external_acl/kerberos_ldap_group/support.h 2014-08-10 11:32:05.181642709 +0100 @@ -47,7 +47,7 @@ #if HAVE_COM_ERR_H #include -#elif HAVE_HEIMDAL_KERBEROS +#elif USE_HEIMDAL_KRB5 #define error_message(code) krb5_get_err_text(kparam.context,code) #endif /* HAVE_COM_ERR_H */ @@ -162,7 +162,7 @@ size_t get_hostname_list(struct hstruct **hlist, size_t nhosts, char *name); size_t free_hostname_list(struct hstruct **hlist, size_t nhosts); -#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +#if HAVE_SASL_H || HAVE_SASL_SASL_H || HAVE_SASL_DARWIN int tool_sasl_bind(LDAP * ld, char *binddn, char *ssl); #endif diff -ru trunk/helpers/external_acl/kerberos_ldap_group/support_krb5.cc trunk-mm/helpers/external_acl/kerberos_ldap_group/support_krb5.cc --- trunk/helpers/external_acl/kerberos_ldap_group/support_krb5.cc 2013-09-28 00:37:39.207515000 +0100 +++ trunk-mm/helpers/external_acl/kerberos_ldap_group/support_krb5.cc 2014-08-10 11:32:05.181642709 +0100 @@ -25,13 +25,12 @@ #include "squid.h" #include "util.h" -#if defined(HAVE_LDAP) && defined(HAVE_KRB5) +#if HAVE_LDAP && HAVE_KRB5 #include "support.h" struct kstruct { krb5_context context; - char *mem_cache_env; krb5_ccache cc; }; @@ -115,12 +114,12 @@ principal_list = (krb5_principal *) xrealloc(principal_list, sizeof(krb5_principal) * (nprinc + 1)); krb5_copy_principal(kparam.context, entry.principal, &principal_list[nprinc++]); -#ifdef HAVE_HEIMDAL_KERBEROS +#if USE_HEIMDAL_KRB5 debug((char *) "%s| %s: DEBUG: Keytab entry has realm name: %s\n", LogTime(), PROGRAM, entry.principal->realm); #else debug((char *) "%s| %s: DEBUG: Keytab entry has realm name: %s\n", LogTime(), PROGRAM, krb5_princ_realm(kparam.context, entry.principal)->data); #endif -#ifdef HAVE_HEIMDAL_KERBEROS +#if USE_HEIMDAL_KRB5 if (!strcasecmp(domain, entry.principal->realm)) #else if (!strcasecmp(domain, krb5_princ_realm(kparam.context, entry.principal)->data)) @@ -134,7 +133,7 @@ found = 1; } } -#if defined(HAVE_HEIMDAL_KERBEROS) || ( defined(HAVE_KRB5_KT_FREE_ENTRY) && HAVE_DECL_KRB5_KT_FREE_ENTRY==1) +#if USE_HEIMDAL_KRB5 || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY ) code = krb5_kt_free_entry(kparam.context, &entry); #else code = krb5_free_keytab_entry_contents(kparam.context, &entry); @@ -162,7 +161,7 @@ /* * prepare memory credential cache */ -#if !defined(HAVE_KRB5_MEMORY_CACHE) || defined(HAVE_SUN_LDAP_SDK) +#if !HAVE_KRB5_MEMORY_CACHE || HAVE_SUN_LDAP_SDK mem_cache = (char *) xmalloc(strlen("FILE:/tmp/squid_ldap_") + 16); snprintf(mem_cache, strlen("FILE:/tmp/squid_ldap_") + 16, "FILE:/tmp/squid_ldap_%d", (int) getpid()); #else @@ -226,7 +225,7 @@ } if (creds->server) krb5_free_principal(kparam.context, creds->server); -#ifdef HAVE_HEIMDAL_KERBEROS +#if USE_HEIMDAL_KRB5 service = (char *) xmalloc(strlen("krbtgt") + strlen(domain) + strlen(principal_list[i]->realm) + 3); snprintf(service, strlen("krbtgt") + strlen(domain) + strlen(principal_list[i]->realm) + 3, "krbtgt/%s@%s", domain, principal_list[i]->realm); #else @@ -260,7 +259,6 @@ } - safe_free(principal_name); if (creds) krb5_free_creds(kparam.context, creds); creds = NULL; diff -ru trunk/helpers/external_acl/kerberos_ldap_group/support_ldap.cc trunk-mm/helpers/external_acl/kerberos_ldap_group/support_ldap.cc --- trunk/helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2014-06-02 18:48:28.346610000 +0100 +++ trunk-mm/helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2014-08-10 11:32:31.127641542 +0100 @@ -42,20 +42,24 @@ #define FILTER "(memberuid=%s)" #define ATTRIBUTE "cn" +#define ATTRIBUTE_DN "distinguishedName" #define FILTER_UID "(uid=%s)" #define FILTER_GID "(&(gidNumber=%s)(objectclass=posixgroup))" #define ATTRIBUTE_GID "gidNumber" +#define ATTRIBUTE_GID_AD "primaryGroupID" +#define ATTRIBUTE_SID "objectSID" #define FILTER_AD "(samaccountname=%s)" #define ATTRIBUTE_AD "memberof" size_t get_attributes(LDAP * ld, LDAPMessage * res, const char *attribute /* IN */ , char ***out_val /* OUT (caller frees) */ ); +size_t get_bin_attributes(LDAP * ld, LDAPMessage * res, const char *attribute /* IN */ , char ***out_val , int **out_len /* OUT (caller frees) */ ); int search_group_tree(struct main_args *margs, LDAP * ld, char *bindp, char *ldap_group, char *group, int depth); -#if defined(HAVE_SUN_LDAP_SDK) || defined(HAVE_MOZILLA_LDAP_SDK) -#ifdef HAVE_LDAP_REBINDPROC_CALLBACK +#if HAVE_SUN_LDAP_SDK || HAVE_MOZILLA_LDAP_SDK +#if HAVE_LDAP_REBINDPROC_CALLBACK -#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +#if HAVE_SASL_H || HAVE_SASL_SASL_H || HAVE_SASL_DARWIN static LDAP_REBINDPROC_CALLBACK ldap_sasl_rebind; static int LDAP_CALL LDAP_CALLBACK @@ -94,8 +98,8 @@ freeit = freeit; return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE); } -#elif defined(HAVE_LDAP_REBIND_PROC) -#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +#elif HAVE_LDAP_REBIND_PROC +#if HAVE_SASL_H || HAVE_SASL_SASL_H || HAVE_SASL_DARWIN static LDAP_REBIND_PROC ldap_sasl_rebind; static int @@ -125,11 +129,11 @@ return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE); } -#elif defined(HAVE_LDAP_REBIND_FUNCTION) +#elif HAVE_LDAP_REBIND_FUNCTION #ifndef LDAP_REFERRALS #define LDAP_REFERRALS #endif -#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +#if HAVE_SASL_H || HAVE_SASL_SASL_H || HAVE_SASL_DARWIN static LDAP_REBIND_FUNCTION ldap_sasl_rebind; static int @@ -172,7 +176,7 @@ #error "No rebind functione defined" #endif #else /* HAVE_SUN_LDAP_SDK */ -#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +#if HAVE_SASL_H || HAVE_SASL_SASL_H || HAVE_SASL_DARWIN static LDAP_REBIND_PROC ldap_sasl_rebind; static int @@ -333,6 +337,7 @@ size_t max_attr = 0; char *filter = NULL; char *search_exp = NULL; + size_t se_len = 0; int rc = 0, retval = 0; int ldepth; char *ldap_filter_esc = NULL; @@ -351,8 +356,9 @@ ldap_filter_esc = escape_filter(ldap_group); - search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); - snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); + se_len = strlen(filter) + strlen(ldap_filter_esc) + 1; + search_exp = (char *) xmalloc(se_len); + snprintf(search_exp, se_len, filter, ldap_filter_esc); xfree(ldap_filter_esc); @@ -369,7 +375,6 @@ if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind_s(ld); return 0; } debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); @@ -449,7 +454,7 @@ ldap_set_defaults(LDAP * ld) { int val, rc = 0; -#ifdef LDAP_OPT_NETWORK_TIMEOUT +#if LDAP_OPT_NETWORK_TIMEOUT struct timeval tv; #endif val = LDAP_VERSION3; @@ -463,7 +468,7 @@ debug((char *) "%s| %s: DEBUG: Error while setting referrals off: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); return rc; } -#ifdef LDAP_OPT_NETWORK_TIMEOUT +#if LDAP_OPT_NETWORK_TIMEOUT tv.tv_sec = CONNECT_TIMEOUT; tv.tv_usec = 0; rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); @@ -478,16 +483,16 @@ int ldap_set_ssl_defaults(struct main_args *margs) { -#if defined(HAVE_OPENLDAP) || defined(HAVE_LDAPSSL_CLIENT_INIT) +#if HAVE_OPENLDAP || HAVE_LDAPSSL_CLIENT_INIT int rc = 0; #endif -#ifdef HAVE_OPENLDAP +#if HAVE_OPENLDAP int val; -#elif defined(HAVE_LDAPSSL_CLIENT_INIT) +#elif HAVE_LDAPSSL_CLIENT_INIT char *ssl_certdbpath = NULL; #endif -#ifdef HAVE_OPENLDAP +#if HAVE_OPENLDAP if (!margs->rc_allow) { char *ssl_cacertfile = NULL; int free_path; @@ -522,7 +527,7 @@ return rc; } } -#elif defined(HAVE_LDAPSSL_CLIENT_INIT) +#elif HAVE_LDAPSSL_CLIENT_INIT /* * Solaris SSL ldap calls require path to certificate database */ @@ -556,32 +561,26 @@ get_attributes(LDAP * ld, LDAPMessage * res, const char *attribute, char ***ret_value) { - LDAPMessage *msg; - char **attr_value = NULL; + char **attr_value = *ret_value; size_t max_attr = 0; - attr_value = *ret_value; /* * loop over attributes */ debug((char *) "%s| %s: DEBUG: Search ldap entries for attribute : %s\n", LogTime(), PROGRAM, attribute); - for (msg = ldap_first_entry(ld, res); msg; msg = ldap_next_entry(ld, msg)) { - - BerElement *b; - char *attr; + for (LDAPMessage *msg = ldap_first_entry(ld, res); msg; msg = ldap_next_entry(ld, msg)) { switch (ldap_msgtype(msg)) { - case LDAP_RES_SEARCH_ENTRY: - - for (attr = ldap_first_attribute(ld, msg, &b); attr; + case LDAP_RES_SEARCH_ENTRY: { + BerElement *b = NULL; + for (char *attr = ldap_first_attribute(ld, msg, &b); attr; attr = ldap_next_attribute(ld, msg, b)) { if (strcasecmp(attr, attribute) == 0) { struct berval **values; - int il; if ((values = ldap_get_values_len(ld, msg, attr)) != NULL) { - for (il = 0; values[il] != NULL; ++il) { + for (int il = 0; values[il] != NULL; ++il) { attr_value = (char **) xrealloc(attr_value, (max_attr + 1) * sizeof(char *)); if (!attr_value) @@ -598,7 +597,73 @@ ldap_memfree(attr); } ber_free(b, 0); + } + break; + case LDAP_RES_SEARCH_REFERENCE: + debug((char *) "%s| %s: DEBUG: Received a search reference message\n", LogTime(), PROGRAM); + break; + case LDAP_RES_SEARCH_RESULT: + debug((char *) "%s| %s: DEBUG: Received a search result message\n", LogTime(), PROGRAM); + break; + default: break; + } + } + + debug((char *) "%s| %s: DEBUG: %" PRIuSIZE " ldap entr%s found with attribute : %s\n", LogTime(), PROGRAM, max_attr, max_attr > 1 || max_attr == 0 ? "ies" : "y", attribute); + + *ret_value = attr_value; + return max_attr; +} + +size_t +get_bin_attributes(LDAP * ld, LDAPMessage * res, const char *attribute, char ***ret_value, int **ret_len) +{ + + char **attr_value = *ret_value; + int *attr_len = *ret_len; + size_t max_attr = 0; + + /* + * loop over attributes + */ + debug((char *) "%s| %s: DEBUG: Search ldap entries for attribute : %s\n", LogTime(), PROGRAM, attribute); + for ( LDAPMessage *msg = ldap_first_entry(ld, res); msg; msg = ldap_next_entry(ld, msg)) { + + switch (ldap_msgtype(msg)) { + + case LDAP_RES_SEARCH_ENTRY: { + BerElement *b = NULL; + for (char *attr = ldap_first_attribute(ld, msg, &b); attr; + attr = ldap_next_attribute(ld, msg, b)) { + if (strcasecmp(attr, attribute) == 0) { + struct berval **values; + + if ((values = ldap_get_values_len(ld, msg, attr)) != NULL) { + for (int il = 0; values[il] != NULL; ++il) { + + attr_value = (char **) xrealloc(attr_value, (max_attr + 1) * sizeof(char *)); + if (!attr_value) + break; + + attr_len = (int *) xrealloc(attr_len, (max_attr + 1) * sizeof(int)); + if (!attr_len) + break; + + attr_value[max_attr] = (char *) xmalloc(values[il]->bv_len + 1); + memcpy(attr_value[max_attr], values[il]->bv_val, values[il]->bv_len); + attr_value[max_attr][values[il]->bv_len] = 0; + attr_len[max_attr]=values[il]->bv_len; + max_attr++; + } + } + ber_bvecfree(values); + } + ldap_memfree(attr); + } + ber_free(b, 0); + } + break; case LDAP_RES_SEARCH_REFERENCE: debug((char *) "%s| %s: DEBUG: Received a search reference message\n", LogTime(), PROGRAM); break; @@ -613,6 +678,7 @@ debug((char *) "%s| %s: DEBUG: %" PRIuSIZE " ldap entr%s found with attribute : %s\n", LogTime(), PROGRAM, max_attr, max_attr > 1 || max_attr == 0 ? "ies" : "y", attribute); *ret_value = attr_value; + *ret_len = attr_len; return max_attr; } @@ -623,7 +689,7 @@ tool_ldap_open(struct main_args * margs, char *host, int port, char *ssl) { LDAP *ld; -#ifdef HAVE_OPENLDAP +#if HAVE_OPENLDAP LDAPURLDesc *url = NULL; char *ldapuri = NULL; #endif @@ -633,10 +699,10 @@ * Use ldap open here to check if TCP connection is possible. If possible use it. * (Not sure if this is the best way) */ -#ifdef HAVE_OPENLDAP +#if HAVE_OPENLDAP url = (LDAPURLDesc *) xmalloc(sizeof(*url)); memset(url, 0, sizeof(*url)); -#ifdef HAVE_LDAP_URL_LUD_SCHEME +#if HAVE_LDAP_URL_LUD_SCHEME if (ssl) url->lud_scheme = xstrdup("ldaps"); else @@ -644,14 +710,14 @@ #endif url->lud_host = xstrdup(host); url->lud_port = port; -#ifdef HAVE_LDAP_SCOPE_DEFAULT +#if HAVE_LDAP_SCOPE_DEFAULT url->lud_scope = LDAP_SCOPE_DEFAULT; #else url->lud_scope = LDAP_SCOPE_SUBTREE; #endif -#ifdef HAVE_LDAP_URL_DESC2STR +#if HAVE_LDAP_URL_DESC2STR ldapuri = ldap_url_desc2str(url); -#elif defined(HAVE_LDAP_URL_PARSE) +#elif HAVE_LDAP_URL_PARSE rc = ldap_url_parse(ldapuri, &url); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); @@ -693,7 +759,7 @@ ld = NULL; return NULL; } -#ifdef HAVE_OPENLDAP +#if HAVE_OPENLDAP /* * Use tls if possible */ @@ -704,19 +770,19 @@ ld = NULL; url = (LDAPURLDesc *) xmalloc(sizeof(*url)); memset(url, 0, sizeof(*url)); -#ifdef HAVE_LDAP_URL_LUD_SCHEME +#if HAVE_LDAP_URL_LUD_SCHEME url->lud_scheme = xstrdup("ldaps"); #endif url->lud_host = xstrdup(host); url->lud_port = port; -#ifdef HAVE_LDAP_SCOPE_DEFAULT +#if HAVE_LDAP_SCOPE_DEFAULT url->lud_scope = LDAP_SCOPE_DEFAULT; #else url->lud_scope = LDAP_SCOPE_SUBTREE; #endif -#ifdef HAVE_LDAP_URL_DESC2STR +#if HAVE_LDAP_URL_DESC2STR ldapuri = ldap_url_desc2str(url); -#elif defined(HAVE_LDAP_URL_PARSE) +#elif HAVE_LDAP_URL_PARSE rc = ldap_url_parse(ldapuri, &url); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); @@ -744,7 +810,7 @@ return NULL; } } -#elif defined(HAVE_LDAPSSL_CLIENT_INIT) +#elif HAVE_LDAPSSL_CLIENT_INIT ld = ldapssl_init(host, port, 1); if (!ld) { error((char *) "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc)); @@ -774,13 +840,14 @@ { LDAP *ld = NULL; LDAPMessage *res; -#ifndef HAVE_SUN_LDAP_SDK +#if !HAVE_SUN_LDAP_SDK int ldap_debug = 0; #endif struct ldap_creds *lcreds = NULL; char *bindp = NULL; char *filter = NULL; char *search_exp; + size_t se_len = 0; struct timeval searchtime; int rc = 0, kc = 1; int retval; @@ -798,7 +865,7 @@ if (domain) { debug((char *) "%s| %s: DEBUG: Setup Kerberos credential cache\n", LogTime(), PROGRAM); -#ifdef HAVE_KRB5 +#if HAVE_KRB5 kc = krb5_create_cache(domain); if (kc) { error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM); @@ -809,14 +876,14 @@ #endif } - if (kc && (!margs->lurl || !margs->luser | !margs->lpass)) { + if (kc && (!margs->lurl || !margs->luser || !margs->lpass)) { /* * If Kerberos fails and no url given exit here */ retval = 0; goto cleanup; } -#ifndef HAVE_SUN_LDAP_SDK +#if !HAVE_SUN_LDAP_SDK /* * Initialise ldap */ @@ -850,7 +917,7 @@ * ldap bind with SASL/GSSAPI authentication (only possible if a domain was part of the username) */ -#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +#if HAVE_SASL_H || HAVE_SASL_SASL_H || HAVE_SASL_DARWIN debug((char *) "%s| %s: DEBUG: Bind to ldap server with SASL/GSSAPI\n", LogTime(), PROGRAM); rc = tool_sasl_bind(ld, bindp, margs->ssl); @@ -860,7 +927,7 @@ ld = NULL; continue; } - lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds)); + lcreds = (struct ldap_creds *) xmalloc(sizeof(struct ldap_creds)); lcreds->dn = NULL; lcreds->pw = margs->ssl ? xstrdup(margs->ssl) : NULL; ldap_set_rebind_proc(ld, ldap_sasl_rebind, (char *) lcreds); @@ -925,7 +992,7 @@ ld = NULL; continue; } - lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds)); + lcreds = (struct ldap_creds *) xmalloc(sizeof(struct ldap_creds)); lcreds->dn = xstrdup(margs->luser); lcreds->pw = xstrdup(margs->lpass); ldap_set_rebind_proc(ld, ldap_simple_rebind, (char *) lcreds); @@ -968,8 +1035,9 @@ ldap_filter_esc = escape_filter(user); - search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); - snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); + se_len = strlen(filter) + strlen(ldap_filter_esc) + 1; + search_exp = (char *) xmalloc(se_len); + snprintf(search_exp, se_len, filter, ldap_filter_esc); xfree(ldap_filter_esc); @@ -1075,17 +1143,21 @@ retval = 0; } - if (!margs->AD && retval == 0) { + if (retval == 0) { /* * Check for primary Group membership */ debug((char *) "%s| %s: DEBUG: Search for primary group membership: \"%s\"\n", LogTime(), PROGRAM, group); - filter = (char *) FILTER_UID; + if (margs->AD) + filter = (char *) FILTER_AD; + else + filter = (char *) FILTER_UID; ldap_filter_esc = escape_filter(user); - search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); - snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); + se_len = strlen(filter) + strlen(ldap_filter_esc) + 1; + search_exp = (char *) xmalloc(se_len); + snprintf(search_exp, se_len, filter, ldap_filter_esc); xfree(ldap_filter_esc); @@ -1097,29 +1169,107 @@ debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); - max_attr = get_attributes(ld, res, ATTRIBUTE_GID, &attr_value); + max_attr = 0; + if (!rc) { + if (margs->AD) + max_attr = get_attributes(ld, res, ATTRIBUTE_GID_AD, &attr_value); + else + max_attr = get_attributes(ld, res, ATTRIBUTE_GID, &attr_value); + } if (max_attr == 1) { char **attr_value_2 = NULL; size_t max_attr_2 = 0; - ldap_msgfree(res); - filter = (char *) FILTER_GID; - - ldap_filter_esc = escape_filter(attr_value[0]); - - search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); - snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); + if (margs->AD) { + char **attr_value_3 = NULL; + int *attr_len_3 = NULL; + size_t max_attr_3 = 0; + uint32_t gid=atoi(attr_value[0]); + + /* Get objectsid and search for group + * with objectsid = domain(objectsid) + primarygroupid */ + debug((char *) "%s| %s: DEBUG: Got primaryGroupID %u\n", LogTime(), PROGRAM, gid); + max_attr_3 = get_bin_attributes(ld, res, ATTRIBUTE_SID, &attr_value_3, &attr_len_3); + ldap_msgfree(res); + if (max_attr_3 == 1) { + int len=attr_len_3[0]; + if (len < 4) { + debug((char *) "%s| %s: ERROR: Length %d is too short for objectSID\n", LogTime(), PROGRAM, len); + rc = 1; + } else { + char *se=NULL; + attr_value_3[0][len-1]=((gid>>24) & 0xff); + attr_value_3[0][len-2]=((gid>>16) & 0xff); + attr_value_3[0][len-3]=((gid>>8) & 0xff); + attr_value_3[0][len-4]=((gid>>0) & 0xff); + +#define FILTER_SID_1 "(objectSID=" +#define FILTER_SID_2 ")" + + se_len = strlen(FILTER_SID_1) + len*3 + strlen(FILTER_SID_2) + 1; + search_exp = (char *) xmalloc(se_len); + snprintf(search_exp, se_len, "%s", FILTER_SID_1 ); + + for (int j=0; j 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); - debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp); - rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, - search_exp, NULL, 0, - NULL, NULL, &searchtime, 0, &res); - xfree(search_exp); + } + } else { + rc = 1; + } + if (attr_value_3) { + size_t j; + for (j = 0; j < max_attr_3; ++j) { + xfree(attr_value_3[j]); + } + safe_free(attr_value_3); + } + if (attr_len_3) { + xfree(attr_len_3); + } + } else { + ldap_msgfree(res); + filter = (char *) FILTER_GID; + + ldap_filter_esc = escape_filter(attr_value[0]); + + se_len = strlen(filter) + strlen(ldap_filter_esc) + 1; + search_exp = (char *) xmalloc(se_len); + snprintf(search_exp, se_len, filter, ldap_filter_esc); + + xfree(ldap_filter_esc); + + debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp); + rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, + search_exp, NULL, 0, + NULL, NULL, &searchtime, 0, &res); + xfree(search_exp); + } - max_attr_2 = get_attributes(ld, res, ATTRIBUTE, &attr_value_2); + if (!rc) { + if (margs->AD) + max_attr_2 = get_attributes(ld, res, ATTRIBUTE_DN, &attr_value_2); + else + max_attr_2 = get_attributes(ld, res, ATTRIBUTE, &attr_value_2); + ldap_msgfree(res); + } else { + ldap_msgfree(res); + } /* * Compare group names */ @@ -1127,6 +1277,13 @@ if (max_attr_2 == 1) { /* Compare first CN= value assuming it is the same as the group name itself */ char *av = attr_value_2[0]; + if (!strncasecmp("CN=", av, 3)) { + char *avp = NULL; + av += 3; + if ((avp = strchr(av, ','))) { + *avp = '\0'; + } + } if (!strcasecmp(group, av)) { retval = 1; debug((char *) "%s| %s: DEBUG: \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, av, group); @@ -1135,6 +1292,34 @@ } /* + * Do recursive group search for AD only since posixgroups can not contain other groups + */ + if (!retval && margs->AD) { + if (debug_enabled && max_attr_2 > 0) { + debug((char *) "%s| %s: DEBUG: Perform recursive group search\n", LogTime(), PROGRAM); + } + for (size_t j = 0; j < max_attr_2; ++j) { + char *av = NULL; + + av = attr_value_2[j]; + if (search_group_tree(margs, ld, bindp, av, group, 1)) { + retval = 1; + if (!strncasecmp("CN=", av, 3)) { + char *avp = NULL; + av += 3; + if ((avp = strchr(av, ','))) { + *avp = '\0'; + } + } + if (debug_enabled) { + debug((char *) "%s| %s: DEBUG: Entry %" PRIuSIZE " group \"%s\" is (in)direct member of group \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); + } else { + break; + } + } + } + } + /* * Cleanup */ if (attr_value_2) { @@ -1144,7 +1329,6 @@ } safe_free(attr_value_2); } - ldap_msgfree(res); debug((char *) "%s| %s: DEBUG: Users primary group %s %s\n", LogTime(), PROGRAM, retval ? "matches" : "does not match", group); @@ -1169,7 +1353,7 @@ } debug((char *) "%s| %s: DEBUG: Unbind ldap server\n", LogTime(), PROGRAM); cleanup: -#ifdef HAVE_KRB5 +#if HAVE_KRB5 if (domain) krb5_cleanup(); #endif diff -ru trunk/helpers/external_acl/kerberos_ldap_group/support_log.cc trunk-mm/helpers/external_acl/kerberos_ldap_group/support_log.cc --- trunk/helpers/external_acl/kerberos_ldap_group/support_log.cc 2014-02-21 15:38:36.783293000 +0000 +++ trunk-mm/helpers/external_acl/kerberos_ldap_group/support_log.cc 2014-08-10 11:32:05.185642709 +0100 @@ -24,7 +24,7 @@ #include "squid.h" -#ifdef HAVE_LDAP +#if HAVE_LDAP #include "support.h" #include diff -ru trunk/helpers/external_acl/kerberos_ldap_group/support_lserver.cc trunk-mm/helpers/external_acl/kerberos_ldap_group/support_lserver.cc --- trunk/helpers/external_acl/kerberos_ldap_group/support_lserver.cc 2013-09-28 00:37:39.207515000 +0100 +++ trunk-mm/helpers/external_acl/kerberos_ldap_group/support_lserver.cc 2014-08-10 11:32:05.186642709 +0100 @@ -25,7 +25,7 @@ #include "squid.h" #include "util.h" -#ifdef HAVE_LDAP +#if HAVE_LDAP #include "support.h" struct lsstruct *init_ls(void); diff -ru trunk/helpers/external_acl/kerberos_ldap_group/support_member.cc trunk-mm/helpers/external_acl/kerberos_ldap_group/support_member.cc --- trunk/helpers/external_acl/kerberos_ldap_group/support_member.cc 2013-09-28 00:37:39.207515000 +0100 +++ trunk-mm/helpers/external_acl/kerberos_ldap_group/support_member.cc 2014-08-10 11:32:05.187642709 +0100 @@ -25,7 +25,7 @@ #include "squid.h" #include "util.h" -#ifdef HAVE_LDAP +#if HAVE_LDAP #include "support.h" diff -ru trunk/helpers/external_acl/kerberos_ldap_group/support_netbios.cc trunk-mm/helpers/external_acl/kerberos_ldap_group/support_netbios.cc --- trunk/helpers/external_acl/kerberos_ldap_group/support_netbios.cc 2013-09-28 00:37:39.207515000 +0100 +++ trunk-mm/helpers/external_acl/kerberos_ldap_group/support_netbios.cc 2014-08-10 11:32:05.187642709 +0100 @@ -25,7 +25,7 @@ #include "squid.h" #include "util.h" -#ifdef HAVE_LDAP +#if HAVE_LDAP #include "support.h" diff -ru trunk/helpers/external_acl/kerberos_ldap_group/support_resolv.cc trunk-mm/helpers/external_acl/kerberos_ldap_group/support_resolv.cc --- trunk/helpers/external_acl/kerberos_ldap_group/support_resolv.cc 2014-06-02 18:48:28.346610000 +0100 +++ trunk-mm/helpers/external_acl/kerberos_ldap_group/support_resolv.cc 2014-08-10 11:32:05.188642709 +0100 @@ -25,20 +25,20 @@ #include "squid.h" #include "util.h" -#ifdef HAVE_LDAP +#if HAVE_LDAP #include "support.h" #include -#ifdef HAVE_NETDB_H +#if HAVE_NETDB_H #include #endif -#ifdef HAVE_NETINET_IN_H +#if HAVE_NETINET_IN_H #include #endif -#ifdef HAVE_RESOLV_H +#if HAVE_RESOLV_H #include #endif -#ifdef HAVE_ARPA_NAMESER_H +#if HAVE_ARPA_NAMESER_H #include #endif diff -ru trunk/helpers/external_acl/kerberos_ldap_group/support_sasl.cc trunk-mm/helpers/external_acl/kerberos_ldap_group/support_sasl.cc --- trunk/helpers/external_acl/kerberos_ldap_group/support_sasl.cc 2013-09-28 00:37:39.207515000 +0100 +++ trunk-mm/helpers/external_acl/kerberos_ldap_group/support_sasl.cc 2014-08-10 11:32:05.190642709 +0100 @@ -25,15 +25,15 @@ #include "squid.h" #include "util.h" -#ifdef HAVE_LDAP +#if HAVE_LDAP #include "support.h" -#ifdef HAVE_SASL_H +#if HAVE_SASL_H #include -#elif defined(HAVE_SASL_SASL_H) +#elif HAVE_SASL_SASL_H #include -#elif defined(HAVE_SASL_DARWIN) +#elif HAVE_SASL_DARWIN typedef struct sasl_interact { unsigned long id; /* same as client/user callback ID */ const char *challenge; /* presented to user (e.g. OTP challenge) */ @@ -52,7 +52,7 @@ #define SASL_CB_LIST_END 0 /* end of list */ #endif -#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) +#if HAVE_SASL_H || HAVE_SASL_SASL_H || HAVE_SASL_DARWIN void *lutil_sasl_defaults( LDAP * ld, char *mech, @@ -216,7 +216,7 @@ /* * Avoid SASL messages */ -#ifdef HAVE_SUN_LDAP_SDK +#if HAVE_SUN_LDAP_SDK unsigned sasl_flags = LDAP_SASL_INTERACTIVE; #else unsigned sasl_flags = LDAP_SASL_QUIET; diff -ru trunk/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc trunk-mm/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc --- trunk/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc 2014-02-21 15:38:36.783293000 +0000 +++ trunk-mm/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc 2014-08-10 11:32:05.191642709 +0100 @@ -149,7 +149,7 @@ krb5_context context = NULL; krb5_error_code ret; krb5_pac pac; -#if HAVE_HEIMDAL_KERBEROS +#if USE_HEIMDAL_KRB5 gss_buffer_desc data_set = GSS_C_EMPTY_BUFFER; #else gss_buffer_desc type_id = GSS_C_EMPTY_BUFFER; @@ -396,7 +396,7 @@ #if HAVE_PAC_SUPPORT ret = krb5_init_context(&context); if (!check_k5_err(context, "krb5_init_context", ret)) { -#if HAVE_HEIMDAL_KERBEROS +#if USE_HEIMDAL_KRB5 #define ADWIN2KPAC 128 major_status = gsskrb5_extract_authz_data_from_sec_context(&minor_status, gss_context, ADWIN2KPAC, &data_set); diff -ru trunk/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc trunk-mm/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc --- trunk/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc 2014-02-21 15:38:36.783293000 +0000 +++ trunk-mm/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc 2014-08-10 11:32:05.192642709 +0100 @@ -42,13 +42,22 @@ #include "base64.h" #include "util.h" +#if USE_HEIMDAL_KRB5 +#if HAVE_GSSAPI_GSSAPI_H +#include +#elif HAVE_GSSAPI_H +#include +#endif +#elif USE_GNUGSS +#if HAVE_GSS_H +#include +#endif +#else #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H #include #endif - -#if !HAVE_HEIMDAL_KERBEROS #if HAVE_GSSAPI_GSSAPI_KRB5_H #include #endif diff -ru trunk/helpers/negotiate_auth/kerberos/negotiate_kerberos.h trunk-mm/helpers/negotiate_auth/kerberos/negotiate_kerberos.h --- trunk/helpers/negotiate_auth/kerberos/negotiate_kerberos.h 2014-02-21 15:38:36.783293000 +0000 +++ trunk-mm/helpers/negotiate_auth/kerberos/negotiate_kerberos.h 2014-08-10 11:32:05.192642709 +0100 @@ -58,13 +58,25 @@ #endif #endif /* HAVE_KRB5_H */ +#if USE_HEIMDAL_KRB5 +#if HAVE_GSSAPI_GSSAPI_H +#include +#elif HAVE_GSSAPI_H +#include +#endif +#if HAVE_GSSAPI_GSSAPI_KRB5_H +#include +#endif +#elif USE_GNUGSS +#if HAVE_GSS_H +#include +#endif +#else #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H #include #endif - -#if !HAVE_HEIMDAL_KERBEROS #if HAVE_GSSAPI_GSSAPI_KRB5_H #include #endif @@ -74,10 +86,6 @@ #if HAVE_GSSAPI_GSSAPI_EXT_H #include #endif -#else -#if HAVE_GSSAPI_GSSAPI_KRB5_H -#include -#endif #endif #ifndef gss_nt_service_name @@ -119,7 +127,7 @@ char *gethost_name(void); -#if (defined(HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT) || defined(HAVE_GSS_MAP_NAME_TO_ANY)) && HAVE_KRB5_PAC +#if (HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT || HAVE_GSS_MAP_NAME_TO_ANY) && HAVE_KRB5_PAC #define HAVE_PAC_SUPPORT 1 #define MAX_PAC_GROUP_SIZE 200*60 typedef struct { diff -ru trunk/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc trunk-mm/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc --- trunk/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc 2013-10-25 23:17:10.822094000 +0100 +++ trunk-mm/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc 2014-08-10 11:32:05.192642709 +0100 @@ -355,7 +355,7 @@ char **Rids=NULL; int l=0; - ad_data = (krb5_data *)xmalloc(sizeof(krb5_data)); + ad_data = (krb5_data *)xcalloc(1,sizeof(krb5_data)); #define KERB_LOGON_INFO 1 ret = krb5_pac_get_buffer(context, pac, KERB_LOGON_INFO, ad_data); diff -ru trunk/helpers/negotiate_auth/kerberos/required.m4 trunk-mm/helpers/negotiate_auth/kerberos/required.m4 --- trunk/helpers/negotiate_auth/kerberos/required.m4 2013-09-28 00:37:39.207515000 +0100 +++ trunk-mm/helpers/negotiate_auth/kerberos/required.m4 2014-08-10 11:32:05.194642709 +0100 @@ -1,2 +1,3 @@ -# FIXME: use other kerberos library checks from main configure.ac -AC_CHECK_HEADERS([gssapi/gssapi.h gssapi.h kerberosV/gssapi.h],[BUILD_HELPER="kerberos"]) +if test "x$with_krb5" == "xyes"; then + BUILD_HELPER="kerberos" +fi diff -ru trunk/src/peer_proxy_negotiate_auth.cc trunk-mm/src/peer_proxy_negotiate_auth.cc --- trunk/src/peer_proxy_negotiate_auth.cc 2013-09-28 00:37:39.207515000 +0100 +++ trunk-mm/src/peer_proxy_negotiate_auth.cc 2014-08-10 11:32:05.194642709 +0100 @@ -61,6 +61,7 @@ #elif HAVE_GSSAPI_H #include #endif /* HAVE_GSSAPI_H */ +#if !USE_HEIMDAL_KRB5 #if HAVE_GSSAPI_GSSAPI_EXT_H #include #endif /* HAVE_GSSAPI_GSSAPI_EXT_H */ @@ -70,15 +71,16 @@ #if HAVE_GSSAPI_GSSAPI_GENERIC_H #include #endif /* HAVE_GSSAPI_GSSAPI_GENERIC_H */ +#endif /* !USE_HEIMDAL_KRB5 */ #ifndef gss_nt_service_name #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE #endif -#if !HAVE_ERROR_MESSAGE && HAVE_KRB5_GET_ERR_TEXT -#define error_message(code) krb5_get_err_text(kparam.context,code) -#elif !HAVE_ERROR_MESSAGE && HAVE_KRB5_GET_ERROR_MESSAGE +#if !HAVE_ERROR_MESSAGE && HAVE_KRB5_GET_ERR_MESSAGE #define error_message(code) krb5_get_error_message(kparam.context,code) +#elif !HAVE_ERROR_MESSAGE && HAVE_KRB5_GET_ERROR_TEXT +#define error_message(code) krb5_get_err_text(kparam.context,code) #elif !HAVE_ERROR_MESSAGE static char err_code[17]; const char *KRB5_CALLCONV @@ -94,7 +96,7 @@ gss_OID gss_mech_spnego = &_gss_mech_spnego; #endif -#if HAVE_NAS_KERBEROS +#if USE_IBM_KERBEROS #include const char *KRB5_CALLCONV error_message(long code) { char *msg = NULL; @@ -210,7 +212,7 @@ static krb5_keytab_entry entry; static krb5_kt_cursor cursor; static krb5_creds *creds = NULL; -#if HAVE_HEIMDAL_KERBEROS && !HAVE_KRB5_GET_RENEWED_CREDS +#if USE_HEIMDAL_KRB5 && !HAVE_KRB5_GET_RENEWED_CREDS static krb5_creds creds2; #endif static krb5_principal principal = NULL; @@ -226,7 +228,7 @@ #if HAVE_PROFILE_H && HAVE_KRB5_GET_PROFILE && HAVE_PROFILE_GET_INTEGER && HAVE_PROFILE_RELEASE profile_t profile; #endif -#if HAVE_HEIMDAL_KERBEROS && !HAVE_KRB5_GET_RENEWED_CREDS +#if USE_HEIMDAL_KRB5 && !HAVE_KRB5_GET_RENEWED_CREDS krb5_kdc_flags flags; #if HAVE_KRB5_PRINCIPAL_GET_REALM const char *client_realm; @@ -329,9 +331,9 @@ error_message(code)); return (1); } -#elif HAVE_KRB5_GET_MAX_TIME_SKEW && HAVE_HEIMDAL_KERBEROS +#elif USE_HEIMDAL_KRB5 && HAVE_KRB5_GET_MAX_TIME_SKEW skew = krb5_get_max_time_skew(kparam.context); -#elif HAVE_MAX_SKEW_IN_KRB5_CONTEXT && HAVE_HEIMDAL_KERBEROS +#elif USE_HEIMDAL_KRB5 && HAVE_MAX_SKEW_IN_KRB5_CONTEXT skew = kparam.context->max_skew; #else skew = DEFAULT_SKEW; @@ -384,7 +386,7 @@ error_message(code)); return (1); } -#if HAVE_HEIMDAL_KERBEROS || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY) +#if USE_HEIMDAL_KRB5 || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY) code = krb5_kt_free_entry(kparam.context, &entry); #else code = krb5_free_keytab_entry_contents(kparam.context, &entry); diff -ru trunk/tools/squidclient/gssapi_support.h trunk-mm/tools/squidclient/gssapi_support.h --- trunk/tools/squidclient/gssapi_support.h 2014-03-30 12:45:22.653414000 +0100 +++ trunk-mm/tools/squidclient/gssapi_support.h 2014-08-10 11:32:05.194642709 +0100 @@ -3,13 +3,23 @@ #if HAVE_GSSAPI + +#if USE_HEIMDAL_KRB5 +#if HAVE_GSSAPI_GSSAPI_H +#include +#elif HAVE_GSSAPI_H +#include +#endif /* HAVE_GSSAPI_GSSAPI_H/HAVE_GSSAPI_H */ +#elif USE_GNUGSS +#if HAVE_GSS_H +#include +#endif +#else #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H #include #endif /* HAVE_GSSAPI_GSSAPI_H/HAVE_GSSAPI_H */ - -#if !HAVE_HEIMDAL_KERBEROS #if HAVE_GSSAPI_GSSAPI_KRB5_H #include #endif