mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-12 09:56:58 +08:00
gssapi: allow auto-select-group option to work
This commit is contained in:
Nikos Mavrogiannopoulos
@@ -77,3 +77,30 @@ unsigned found;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
void unix_group_list(void *pool, unsigned gid_min, char ***groupname, unsigned *groupname_size)
|
||||
{
|
||||
struct group *grp;
|
||||
|
||||
setgrent();
|
||||
|
||||
*groupname_size = 0;
|
||||
*groupname = talloc_size(pool, sizeof(char*)*MAX_GROUPS);
|
||||
if (*groupname == NULL) {
|
||||
goto exit;
|
||||
}
|
||||
|
||||
while((grp = getgrent()) != NULL && (*groupname_size) < MAX_GROUPS) {
|
||||
if (grp->gr_gid >= gid_min) {
|
||||
(*groupname)[(*groupname_size)] = talloc_strdup(*groupname, grp->gr_name);
|
||||
if ((*groupname)[(*groupname_size)] == NULL)
|
||||
break;
|
||||
(*groupname_size)++;
|
||||
}
|
||||
}
|
||||
|
||||
exit:
|
||||
endgrent();
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
@@ -1,2 +1,3 @@
|
||||
int get_user_auth_group(const char *username, const char *suggested,
|
||||
char *groupname, int groupname_size);
|
||||
void unix_group_list(void *pool, unsigned gid_min, char ***groupname, unsigned *groupname_size);
|
||||
|
||||
@@ -350,6 +350,17 @@ static void gssapi_auth_deinit(void *ctx)
|
||||
talloc_free(ctx);
|
||||
}
|
||||
|
||||
static void gssapi_group_list(void *pool, void *_additional, char ***groupname, unsigned *groupname_size)
|
||||
{
|
||||
gssapi_cfg_st *config = _additional;
|
||||
gid_t min = 0;
|
||||
|
||||
if (config)
|
||||
min = config->gid_min;
|
||||
|
||||
unix_group_list(pool, min, groupname, groupname_size);
|
||||
}
|
||||
|
||||
const struct auth_mod_st gssapi_auth_funcs = {
|
||||
.type = AUTH_TYPE_GSSAPI,
|
||||
.auth_init = gssapi_auth_init,
|
||||
@@ -360,6 +371,7 @@ const struct auth_mod_st gssapi_auth_funcs = {
|
||||
.auth_group = gssapi_auth_group,
|
||||
.global_init = gssapi_global_init,
|
||||
.global_deinit = gssapi_global_deinit,
|
||||
.group_list = gssapi_group_list
|
||||
};
|
||||
|
||||
#endif
|
||||
|
||||
@@ -317,33 +317,13 @@ struct pam_ctx_st * pctx = ctx;
|
||||
|
||||
static void pam_group_list(void *pool, void *_additional, char ***groupname, unsigned *groupname_size)
|
||||
{
|
||||
struct group *grp;
|
||||
struct pam_cfg_st *config = _additional;
|
||||
gid_t min = 0;
|
||||
|
||||
if (config)
|
||||
min = config->gid_min;
|
||||
|
||||
setgrent();
|
||||
|
||||
*groupname_size = 0;
|
||||
*groupname = talloc_size(pool, sizeof(char*)*MAX_GROUPS);
|
||||
if (*groupname == NULL) {
|
||||
goto exit;
|
||||
}
|
||||
|
||||
while((grp = getgrent()) != NULL && (*groupname_size) < MAX_GROUPS) {
|
||||
if (grp->gr_gid >= min) {
|
||||
(*groupname)[(*groupname_size)] = talloc_strdup(*groupname, grp->gr_name);
|
||||
if ((*groupname)[(*groupname_size)] == NULL)
|
||||
break;
|
||||
(*groupname_size)++;
|
||||
}
|
||||
}
|
||||
|
||||
exit:
|
||||
endgrent();
|
||||
return;
|
||||
unix_group_list(pool, min, groupname, groupname_size);
|
||||
}
|
||||
|
||||
const struct auth_mod_st pam_auth_funcs = {
|
||||
|
||||
@@ -32,6 +32,7 @@ typedef struct gssapi_cfg_st {
|
||||
char *keytab;
|
||||
unsigned no_local_map;
|
||||
time_t ticket_freshness_secs;
|
||||
int gid_min;
|
||||
} gssapi_cfg_st;
|
||||
|
||||
typedef struct radius_cfg_st {
|
||||
|
||||
@@ -105,7 +105,7 @@ An example configuration file follows.
|
||||
# Framed-IP-Address, Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server,
|
||||
# Acct-Interim-Interval.
|
||||
#
|
||||
# gssapi[keytab=/etc/key.tab,require-local-user-map=false,tgt-freshness-time=900]
|
||||
# gssapi[keytab=/etc/key.tab,require-local-user-map=false,tgt-freshness-time=900,gid-min=1000]
|
||||
# The gssapi option allows to use authentication methods supported by GSSAPI,
|
||||
# such as Kerberos tickets with ocserv. It should be best used as an alternative
|
||||
# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
|
||||
@@ -113,6 +113,8 @@ An example configuration file follows.
|
||||
# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented
|
||||
# to have been issued within the provided number of seconds. That option is used to
|
||||
# restrict logins even if the KDC provides long time TGT tickets.
|
||||
# The gid-min option is used by auto-select-group option, in order to select the minimum
|
||||
# valid group ID.
|
||||
|
||||
#auth = "certificate"
|
||||
#auth = "pam"
|
||||
|
||||
@@ -125,6 +125,12 @@ void *gssapi_get_brackets_string(struct perm_cfg_st *config, const char *str)
|
||||
fprintf(stderr, "Invalid value for '%s': %s\n", vals[i].name, vals[i].value);
|
||||
exit(1);
|
||||
}
|
||||
} else if (c_strcasecmp(vals[i].name, "gid-min") == 0) {
|
||||
additional->gid_min = atoi(vals[i].value);
|
||||
if (additional->gid_min < 0) {
|
||||
fprintf(stderr, "error in gid-min value: %d\n", additional->gid_min);
|
||||
exit(1);
|
||||
}
|
||||
} else {
|
||||
fprintf(stderr, "unknown option '%s'\n", vals[i].name);
|
||||
exit(1);
|
||||
|
||||
Reference in New Issue
Block a user