summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2012-06-13 18:43:31 +0200
committerRemi Collet <fedora@famillecollet.com>2012-06-13 18:43:31 +0200
commitb894accf5c23cef90974ee9a5686cfb0d7a28c1b (patch)
tree4b8ff3518cc6fdfbf9855f38389518132be3fb72
reorg repoHEADmaster
-rw-r--r--Makefile4
-rw-r--r--auth_ntlm_winbind.conf44
-rw-r--r--mod_auth_ntlm_winbind-20060510-connect_http10.patch33
-rw-r--r--mod_auth_ntlm_winbind-20070129-64bit.patch39
-rw-r--r--mod_auth_ntlm_winbind.spec134
5 files changed, 254 insertions, 0 deletions
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..1e65467
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,4 @@
+SRCDIR := $(shell pwd)
+NAME := $(shell basename $(SRCDIR))
+include ../common/Makefile
+
diff --git a/auth_ntlm_winbind.conf b/auth_ntlm_winbind.conf
new file mode 100644
index 0000000..0dcf182
--- /dev/null
+++ b/auth_ntlm_winbind.conf
@@ -0,0 +1,44 @@
+#
+# mod_auth_ntlm_winbind allows authentication and authorisation over the Web
+# against a Windows NT/AD domain controllers, using Samba on the same
+# machine Apache is running on.
+# It uses "ntlm_auth" helper utility to operate with local winbindd(8) daemon,
+# which are standard parts of the Samba distribution.
+#
+# The same way Squid does NTLM authentication now.
+#
+
+LoadModule auth_ntlm_winbind_module modules/mod_auth_ntlm_winbind.so
+
+#
+# Make sure you have "KeepAlive On" in your Apache configuration,
+# else this module will not work!
+#
+
+#
+# example configuration for this module:
+#
+# <Directory "/var/www/auth">
+# AuthName "NTLM Authentication thingy"
+# NTLMAuth on
+# NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
+# NTLMBasicAuthoritative on
+# AuthType NTLM
+# require valid-user
+# </Directory>
+#
+# to enable 'Negotiate' authentication too:
+#
+# <Directory "/var/www/auth">
+# AuthName "NTLM Authentication thingy"
+# NTLMAuth on
+# NegotiateAuth on
+# NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
+# NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
+# NTLMBasicAuthoritative on
+# AuthType NTLM
+# AuthType Negotiate
+# require valid-user
+# </Directory>
+#
+
diff --git a/mod_auth_ntlm_winbind-20060510-connect_http10.patch b/mod_auth_ntlm_winbind-20060510-connect_http10.patch
new file mode 100644
index 0000000..8921f64
--- /dev/null
+++ b/mod_auth_ntlm_winbind-20060510-connect_http10.patch
@@ -0,0 +1,33 @@
+diff -bu mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.c mod_auth_ntlm_winbind-OK/mod_auth_ntlm_winbind.c
+--- mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.c 2006-05-11 17:52:54.000000000 +0400
++++ mod_auth_ntlm_winbind-OK/mod_auth_ntlm_winbind.c 2006-07-07 19:44:12.000000000 +0400
+@@ -997,6 +997,29 @@
+ : "Authorization");
+ const char *auth_line2;
+
++#ifdef APACHE2
++ /* ap_set_keepalive() does not check for
++ "Proxy-Connection: keep-alive", and therefore breaks NTLM auth
++ for the CONNECT proxying ("https" etc.) when a browser uses HTTP/1.0
++ for CONNECT (like IE6+ does).
++
++ An ugly work-around to fix it here:
++ When "CONNECT .... HTTP/1.0" without any "Connection: ..."
++ but with "Proxy-Connection: keep-alive", set "Connection: keep-alive"
++ manually (which will be successfully eaten by ap_set_keepalive() later)
++ */
++
++ if (r->method_number == M_CONNECT &&
++ r->proto_num == HTTP_VERSION(1,0) &&
++ !apr_table_get(r->headers_in, "Connection") &&
++ ap_find_token(r->pool,
++ apr_table_get(r->headers_in, "Proxy-Connection"),
++ "keep-alive") != 0
++ ) {
++ apr_table_mergen(r->headers_in, "Connection", "keep-alive");
++ }
++#endif
++
+ /* Trust the authentication on an existing connection */
+ if (ctxt->connected_user_authenticated && ctxt->connected_user_authenticated->user) {
+ /* internal redirects cause this to get called more than once
diff --git a/mod_auth_ntlm_winbind-20070129-64bit.patch b/mod_auth_ntlm_winbind-20070129-64bit.patch
new file mode 100644
index 0000000..55fd507
--- /dev/null
+++ b/mod_auth_ntlm_winbind-20070129-64bit.patch
@@ -0,0 +1,39 @@
+diff -Nrbu mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.c mod_auth_ntlm_winbind-OK/mod_auth_ntlm_winbind.c
+--- mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.c 2007-06-22 17:47:51.000000000 +0400
++++ mod_auth_ntlm_winbind-OK/mod_auth_ntlm_winbind.c 2007-06-22 17:47:20.000000000 +0400
+@@ -495,7 +495,7 @@
+ char *newline;
+ char args_to_helper[HUGE_STRING_LEN];
+ char args_from_helper[HUGE_STRING_LEN];
+- unsigned int bytes_written;
++ size_t bytes_written;
+ int bytes_read;
+
+ if (( global_ntlm_context.ntlm_plaintext_helper = get_auth_helper( r, global_ntlm_context.ntlm_plaintext_helper, crec->ntlm_plaintext_helper, CLEANUP(cleanup_ntlm_plaintext_helper))) == NULL ) {
+@@ -539,7 +539,7 @@
+ #endif
+
+ if ( bytes_written < strlen( args_to_helper )) {
+- RDEBUG( "failed to write user/pass to helper - wrote %d bytes", bytes_written );
++ RDEBUG( "failed to write user/pass to helper - wrote %d bytes", (int) bytes_written );
+ apr_pool_destroy( global_ntlm_context.ntlm_plaintext_helper->pool );
+ apr_pool_destroy( ctxt->connected_user_authenticated->pool );
+ return HTTP_INTERNAL_SERVER_ERROR;
+@@ -624,7 +624,7 @@
+ char args_to_helper[HUGE_STRING_LEN];
+ char args_from_helper[HUGE_STRING_LEN];
+ ntlm_connection_context_t *ctxt = get_connection_context( r->connection );
+- unsigned int bytes_written;
++ size_t bytes_written;
+ int bytes_read;
+ struct _ntlm_auth_helper *auth_helper;
+
+@@ -690,7 +690,7 @@
+ bytes_written = ap_bwrite(auth_helper->out_to_helper, args_to_helper, strlen(args_to_helper));
+ #endif
+ if (bytes_written < strlen(args_to_helper)) {
+- RDEBUG("failed to write NTLMSSP string to helper - wrote %d bytes", bytes_written);
++ RDEBUG("failed to write NTLMSSP string to helper - wrote %d bytes", (int) bytes_written);
+ apr_pool_destroy(auth_helper->pool);
+ apr_pool_destroy(ctxt->connected_user_authenticated->pool);
+
diff --git a/mod_auth_ntlm_winbind.spec b/mod_auth_ntlm_winbind.spec
new file mode 100644
index 0000000..fb16595
--- /dev/null
+++ b/mod_auth_ntlm_winbind.spec
@@ -0,0 +1,134 @@
+%define moddir %(apxs -q LIBEXECDIR || echo be_happy_mock)
+%define svn 20070129svn713
+
+Summary: NTLM authentication for the Apache web server using winbind daemon
+Name: mod_auth_ntlm_winbind
+Version: 0.0.0
+Release: 0.13.%{svn}%{?dist}
+Group: System Environment/Daemons
+License: ASL 2.0
+URL: http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/mod_auth_ntlm_winbind/?root=lorikeet
+
+#
+# svn export svn://svnanon.samba.org/lorikeet/trunk/mod_auth_ntlm_winbind mod_auth_ntlm_winbind
+# or:
+# wget -r -nH --cur-dirs=3 ftp://ftp.samba.org/pub/unpacked/lorikeet/mod_auth_ntlm_winbind
+# then:
+# tar -cvf - mod_auth_ntlm_winbind/ | gzip -c -9 > mod_ntlm_winbind-VERSION-SVN.tar.gz
+#
+Source0: mod_auth_ntlm_winbind-%{version}-%{svn}.tar.gz
+
+Source1: auth_ntlm_winbind.conf
+
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: httpd-devel >= 2.0.40, autoconf
+Requires: httpd >= 2.0.40
+Requires: httpd-mmn = %(cat %{_includedir}/httpd/.mmn || echo missing)
+# requires samba-common for /usr/bin/ntlm_auth ...
+Requires: samba-common
+Requires(post): shadow-utils
+
+Patch0: mod_auth_ntlm_winbind-20060510-connect_http10.patch
+Patch1: mod_auth_ntlm_winbind-20070129-64bit.patch
+
+
+%description
+The %{name} module allows authentication and authorisation over
+the Web against a Windows NT/AD domain controllers, using Samba on the same
+machine Apache is running on.
+It uses "ntlm_auth" helper utility to operate with local winbindd(8) daemon,
+which are standard parts of the Samba distribution.
+
+The same way Squid does NTLM authentication now.
+
+
+%prep
+%setup -q -n mod_auth_ntlm_winbind
+%patch0 -p1
+%patch1 -p1
+autoconf
+
+
+%build
+%configure
+
+# %{?_smp_mflags} is not needed -- only one file compiled
+make
+
+
+%install
+rm -rf $RPM_BUILD_ROOT
+
+mkdir -p $RPM_BUILD_ROOT%{moddir}
+make install DESTDIR=$RPM_BUILD_ROOT
+
+# Install the config file
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d
+install -m644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d
+
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+
+%post
+/usr/sbin/usermod -a -G wbpriv apache >/dev/null 2>&1 || :
+
+
+%files
+%defattr(-,root,root,-)
+%{moddir}/*
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/*
+%doc AUTHORS README
+
+
+%changelog
+* Wed Mar 28 2012 Remi Collet <RPMS@FamilleCollet.com> 0.0.0-0.13.20070129svn713
+- rebuild for remi repo and httpd 2.4
+
+* Tue Mar 27 2012 Dmitry Butskoy <Dmitry@Butskoy.name> 0.0.0-0.13.20070129svn713
+- Rebuilt for new httpd
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.0.0-0.12.20070129svn713
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.0.0-0.11.20070129svn713
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.0.0-0.10.20070129svn713
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.0.0-0.9.20070129svn713
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Fri Apr 4 2008 Dmitry Butskoy <Dmitry@Butskoy.name> 0.0.0-0.8.20070129svn713
+- note in config that Apache's "KeepAlive" must be "On" (#440446)
+
+* Mon Feb 18 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 0.0.0-0.7.20070129svn713
+- Autorebuild for GCC 4.3
+
+* Wed Aug 29 2007 Fedora Release Engineering <rel-eng at fedoraproject dot org> - 0.0.0-0.6.20070129svn713
+- Rebuild for selinux ppc32 issue.
+
+* Fri Aug 17 2007 Dmitry Butskoy <Dmitry@Butskoy.name>
+- Change License tag to "ASL 2.0"
+
+* Fri Jun 22 2007 Dmitry Butskoy <Dmitry@Butskoy.name> 0.0.0-0.5.20070129svn713
+- avoid gcc warnings on 64 bit systems
+
+* Wed Jun 20 2007 Dmitry Butskoy <Dmitry@Butskoy.name> 0.0.0-0.2.20070129svn713
+- spec file cleanup
+- accepted for Fedora (review by Jason Tibbitts <tibbs@math.uh.edu>)
+
+* Wed Jun 13 2007 Dmitry Butskoy <Dmitry@Butskoy.name> 0.0.0-0.1.20070129svn713
+- change release field properly
+
+* Mon Mar 26 2007 Dmitry Butskoy <Dmitry@Butskoy.name> 0.0.0-0.svn713.1
+- update to svn release 713
+- special winbind's group is named "wbpriv" now
+
+* Thu Dec 21 2006 Dmitry Butskoy <Dmitry@Butskoy.name> 0.0.0-0.svn692.1
+- new initial release (svn version r692)
+- add workaround patch for "CONNECT HTTP/1.0" proxy issue
+- add post script for access to winbind's socket directory
+