summaryrefslogtreecommitdiffstats
path: root/www/mod_auth_kerb2
diff options
context:
space:
mode:
authorgreen <green@FreeBSD.org>2005-10-14 22:55:59 +0000
committergreen <green@FreeBSD.org>2005-10-14 22:55:59 +0000
commit1098126a8754760e4c2932140b519df4fcd0e57e (patch)
tree3f26193bdf83d82ecfe6f6fd5091df72516acea4 /www/mod_auth_kerb2
parent36570f0fad27a5523568e01249b8960b5161b786 (diff)
downloadFreeBSD-ports-1098126a8754760e4c2932140b519df4fcd0e57e.zip
FreeBSD-ports-1098126a8754760e4c2932140b519df4fcd0e57e.tar.gz
* Allow for compilation to optionally use the MIT Kerberos 5 port like
now, but default to the base system's Heimdal. * Use existing API to tell Heimdal's libkrb5 where the keytab is, rather than exporting an environment variable (which is what must be done for MIT's, apparently) -- this unbreak's specification of the keytab location in httpd.conf. * Rewrite the description to be far more accurate: no mention was made of this module doing real SPNEGO/GSSAPI/Kerberos (as opposed to "Kerberos password gateway") authentication. * Bump PORTREVISION. Approved by: MAINTAINER PR: ports/86963
Diffstat (limited to 'www/mod_auth_kerb2')
-rw-r--r--www/mod_auth_kerb2/Makefile35
-rw-r--r--www/mod_auth_kerb2/files/patch-src__mod_auth_kerb.c25
-rw-r--r--www/mod_auth_kerb2/pkg-descr23
-rw-r--r--www/mod_auth_kerb2/pkg-plist2
4 files changed, 63 insertions, 22 deletions
diff --git a/www/mod_auth_kerb2/Makefile b/www/mod_auth_kerb2/Makefile
index 909f016..a2f48ca 100644
--- a/www/mod_auth_kerb2/Makefile
+++ b/www/mod_auth_kerb2/Makefile
@@ -9,10 +9,12 @@
PORTNAME= mod_auth_kerb
PORTVERSION= 5.0.r6
-DISTNAME= mod_auth_kerb-5.0-rc6
+PORTREVISION= 1
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR=modauthkerb
+DISTNAME= mod_auth_kerb-5.0-rc6
+
MAINTAINER= apache@FreeBSD.org
COMMENT= An Apache module for authenticating users with Kerberos v5
@@ -22,16 +24,31 @@ COMMENT= An Apache module for authenticating users with Kerberos v5
# (i.e., HTTP over SSL/TLS). Thus, we require as a dependency
# a version of Apache which can do this.
#
-LIB_DEPENDS= krb5.3:${PORTSDIR}/security/krb5
-
USE_APACHE= yes
-
-KRB5_HOME?= ${LOCALBASE}
-
# Don't fsck with CFLAGS
CFLAGS:=
-
GNU_CONFIGURE= yes
CONFIGURE_ARGS+=--with-krb5=${KRB5_HOME} --without-krb4
-
-.include <bsd.port.mk>
+OPTIONS+= BASE_KERBEROS5 "Use the base Kerberos 5 (Heimdal)"
+.if exists(/usr/lib/libkrb5.so)
+OPTIONS+= on
+.else
+OPTIONS+= off
+.endif
+
+.include <bsd.port.pre.mk>
+
+.if exists(${PREFIX}/sbin/apxs)
+APACHE_MODULE_DIR!=${PREFIX}/sbin/apxs -q LIBEXECDIR
+.else
+APACHE_MODULE_DIR=libexec/apache
+.endif
+PLIST_SUB+= APMODDIR=${APACHE_MODULE_DIR:S/^${PREFIX}\///}
+.if defined(WITH_BASE_KERBEROS5)
+KRB5_HOME= /usr
+.else
+LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5
+KRB5_HOME= ${LOCALBASE}
+.endif
+
+.include <bsd.port.post.mk>
diff --git a/www/mod_auth_kerb2/files/patch-src__mod_auth_kerb.c b/www/mod_auth_kerb2/files/patch-src__mod_auth_kerb.c
new file mode 100644
index 0000000..7c25d1a
--- /dev/null
+++ b/www/mod_auth_kerb2/files/patch-src__mod_auth_kerb.c
@@ -0,0 +1,25 @@
+--- src/mod_auth_kerb.c.orig Tue Aug 10 08:01:01 2004
++++ src/mod_auth_kerb.c Wed Oct 5 20:25:38 2005
+@@ -1108,6 +1108,7 @@
+ spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
+
+ if (conf->krb_5_keytab) {
++#ifndef HEIMDAL
+ char *ktname;
+ /* we don't use the ap_* calls here, since the string passed to putenv()
+ * will become part of the enviroment and shouldn't be free()ed by apache
+@@ -1120,6 +1121,14 @@
+ }
+ sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab);
+ putenv(ktname);
++#else
++ ret = gsskrb5_register_acceptor_identity(conf->krb_5_keytab);
++ if (ret) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Setting KerberosV keytab failed: %s", strerror(errno));
++ ret = HTTP_INTERNAL_SERVER_ERROR;
++ goto end;
++ }
++#endif
+ }
+
+ ret = get_gss_creds(r, conf, &server_creds);
diff --git a/www/mod_auth_kerb2/pkg-descr b/www/mod_auth_kerb2/pkg-descr
index 4dbb5e1..18a501b 100644
--- a/www/mod_auth_kerb2/pkg-descr
+++ b/www/mod_auth_kerb2/pkg-descr
@@ -1,14 +1,13 @@
-mod_auth_kerb is an Apache module for authenticating Web clients
-in a Kerberos v5 realm. Because the Kerberos password is transmitted
-in plain text, this module MUST be used in conjunction with an
-encryption-capable Web server (by default, apache13-modssl). There is
-no documentation provided; see the Web site for more details. This
-package is built with the KRB5_VERIFY_TICKET and KRB5_SAVE_CREDENTIALS
-options, and *without* Kerberos v4 support. In order to successfully
-authenticate users, the Web server will need a keytab file containing
-a key for the principal `www/my.host.name.example@MY.REALM.EXAMPLE'
-which is readable only by the user Apache runs as; the location of this
-keytab defaults to ${LOCALBASE}/etc/apache/keytab but can be modified
-in the server configuration.
+mod_auth_kerb is an Apache module for authenticating Web clients in a
+Kerberos v5 realm. Authentication may be performed via the Kerberos
+principal/password; it may also be done securely using SPNEGO (HTTP
+Negotiate auth protocol) to perform a GSSAPI/Kerberos authentication
+from the user's browser and Kerberos credentials directly to the server
+Kerberos credentials 'HTTP/host@REALM'. Because the Kerberos password is
+transmitted in plain text in the former mode, when using mod_auth_kerb
+for naive HTTP Basic (password-based) authentication, this module
+MUST be used in conjunction with an encryption-capable Web server
+(e.g. Apache) to keep that exchange private. There is no documentation
+provided; see the Web site for more details.
WWW: http://modauthkerb.sourceforge.net/
diff --git a/www/mod_auth_kerb2/pkg-plist b/www/mod_auth_kerb2/pkg-plist
index 9c53a96..e10a6259 100644
--- a/www/mod_auth_kerb2/pkg-plist
+++ b/www/mod_auth_kerb2/pkg-plist
@@ -1,3 +1,3 @@
-libexec/apache/mod_auth_kerb.so
+%%APMODDIR%%/mod_auth_kerb.so
@exec %D/sbin/apxs -e -A -n auth_kerb %D/%F
@unexec %D/sbin/apxs -e -A -n auth_kerb %D/%F
OpenPOWER on IntegriCloud