diff options
-rw-r--r-- | Makefile | 4 | ||||
-rw-r--r-- | auth_ntlm_winbind.conf | 44 | ||||
-rw-r--r-- | mod_auth_ntlm_winbind-20060510-connect_http10.patch | 33 | ||||
-rw-r--r-- | mod_auth_ntlm_winbind-20070129-64bit.patch | 39 | ||||
-rw-r--r-- | mod_auth_ntlm_winbind.spec | 134 |
5 files changed, 254 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..1e65467 --- /dev/null +++ b/Makefile @@ -0,0 +1,4 @@ +SRCDIR := $(shell pwd) +NAME := $(shell basename $(SRCDIR)) +include ../common/Makefile + diff --git a/auth_ntlm_winbind.conf b/auth_ntlm_winbind.conf new file mode 100644 index 0000000..0dcf182 --- /dev/null +++ b/auth_ntlm_winbind.conf @@ -0,0 +1,44 @@ +# +# mod_auth_ntlm_winbind allows authentication and authorisation over the Web +# against a Windows NT/AD domain controllers, using Samba on the same +# machine Apache is running on. +# It uses "ntlm_auth" helper utility to operate with local winbindd(8) daemon, +# which are standard parts of the Samba distribution. +# +# The same way Squid does NTLM authentication now. +# + +LoadModule auth_ntlm_winbind_module modules/mod_auth_ntlm_winbind.so + +# +# Make sure you have "KeepAlive On" in your Apache configuration, +# else this module will not work! +# + +# +# example configuration for this module: +# +# <Directory "/var/www/auth"> +# AuthName "NTLM Authentication thingy" +# NTLMAuth on +# NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" +# NTLMBasicAuthoritative on +# AuthType NTLM +# require valid-user +# </Directory> +# +# to enable 'Negotiate' authentication too: +# +# <Directory "/var/www/auth"> +# AuthName "NTLM Authentication thingy" +# NTLMAuth on +# NegotiateAuth on +# NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" +# NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego" +# NTLMBasicAuthoritative on +# AuthType NTLM +# AuthType Negotiate +# require valid-user +# </Directory> +# + diff --git a/mod_auth_ntlm_winbind-20060510-connect_http10.patch b/mod_auth_ntlm_winbind-20060510-connect_http10.patch new file mode 100644 index 0000000..8921f64 --- /dev/null +++ b/mod_auth_ntlm_winbind-20060510-connect_http10.patch @@ -0,0 +1,33 @@ +diff -bu mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.c mod_auth_ntlm_winbind-OK/mod_auth_ntlm_winbind.c +--- mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.c 2006-05-11 17:52:54.000000000 +0400 ++++ mod_auth_ntlm_winbind-OK/mod_auth_ntlm_winbind.c 2006-07-07 19:44:12.000000000 +0400 +@@ -997,6 +997,29 @@ + : "Authorization"); + const char *auth_line2; + ++#ifdef APACHE2 ++ /* ap_set_keepalive() does not check for ++ "Proxy-Connection: keep-alive", and therefore breaks NTLM auth ++ for the CONNECT proxying ("https" etc.) when a browser uses HTTP/1.0 ++ for CONNECT (like IE6+ does). ++ ++ An ugly work-around to fix it here: ++ When "CONNECT .... HTTP/1.0" without any "Connection: ..." ++ but with "Proxy-Connection: keep-alive", set "Connection: keep-alive" ++ manually (which will be successfully eaten by ap_set_keepalive() later) ++ */ ++ ++ if (r->method_number == M_CONNECT && ++ r->proto_num == HTTP_VERSION(1,0) && ++ !apr_table_get(r->headers_in, "Connection") && ++ ap_find_token(r->pool, ++ apr_table_get(r->headers_in, "Proxy-Connection"), ++ "keep-alive") != 0 ++ ) { ++ apr_table_mergen(r->headers_in, "Connection", "keep-alive"); ++ } ++#endif ++ + /* Trust the authentication on an existing connection */ + if (ctxt->connected_user_authenticated && ctxt->connected_user_authenticated->user) { + /* internal redirects cause this to get called more than once diff --git a/mod_auth_ntlm_winbind-20070129-64bit.patch b/mod_auth_ntlm_winbind-20070129-64bit.patch new file mode 100644 index 0000000..55fd507 --- /dev/null +++ b/mod_auth_ntlm_winbind-20070129-64bit.patch @@ -0,0 +1,39 @@ +diff -Nrbu mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.c mod_auth_ntlm_winbind-OK/mod_auth_ntlm_winbind.c +--- mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.c 2007-06-22 17:47:51.000000000 +0400 ++++ mod_auth_ntlm_winbind-OK/mod_auth_ntlm_winbind.c 2007-06-22 17:47:20.000000000 +0400 +@@ -495,7 +495,7 @@ + char *newline; + char args_to_helper[HUGE_STRING_LEN]; + char args_from_helper[HUGE_STRING_LEN]; +- unsigned int bytes_written; ++ size_t bytes_written; + int bytes_read; + + if (( global_ntlm_context.ntlm_plaintext_helper = get_auth_helper( r, global_ntlm_context.ntlm_plaintext_helper, crec->ntlm_plaintext_helper, CLEANUP(cleanup_ntlm_plaintext_helper))) == NULL ) { +@@ -539,7 +539,7 @@ + #endif + + if ( bytes_written < strlen( args_to_helper )) { +- RDEBUG( "failed to write user/pass to helper - wrote %d bytes", bytes_written ); ++ RDEBUG( "failed to write user/pass to helper - wrote %d bytes", (int) bytes_written ); + apr_pool_destroy( global_ntlm_context.ntlm_plaintext_helper->pool ); + apr_pool_destroy( ctxt->connected_user_authenticated->pool ); + return HTTP_INTERNAL_SERVER_ERROR; +@@ -624,7 +624,7 @@ + char args_to_helper[HUGE_STRING_LEN]; + char args_from_helper[HUGE_STRING_LEN]; + ntlm_connection_context_t *ctxt = get_connection_context( r->connection ); +- unsigned int bytes_written; ++ size_t bytes_written; + int bytes_read; + struct _ntlm_auth_helper *auth_helper; + +@@ -690,7 +690,7 @@ + bytes_written = ap_bwrite(auth_helper->out_to_helper, args_to_helper, strlen(args_to_helper)); + #endif + if (bytes_written < strlen(args_to_helper)) { +- RDEBUG("failed to write NTLMSSP string to helper - wrote %d bytes", bytes_written); ++ RDEBUG("failed to write NTLMSSP string to helper - wrote %d bytes", (int) bytes_written); + apr_pool_destroy(auth_helper->pool); + apr_pool_destroy(ctxt->connected_user_authenticated->pool); + diff --git a/mod_auth_ntlm_winbind.spec b/mod_auth_ntlm_winbind.spec new file mode 100644 index 0000000..fb16595 --- /dev/null +++ b/mod_auth_ntlm_winbind.spec @@ -0,0 +1,134 @@ +%define moddir %(apxs -q LIBEXECDIR || echo be_happy_mock) +%define svn 20070129svn713 + +Summary: NTLM authentication for the Apache web server using winbind daemon +Name: mod_auth_ntlm_winbind +Version: 0.0.0 +Release: 0.13.%{svn}%{?dist} +Group: System Environment/Daemons +License: ASL 2.0 +URL: http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/mod_auth_ntlm_winbind/?root=lorikeet + +# +# svn export svn://svnanon.samba.org/lorikeet/trunk/mod_auth_ntlm_winbind mod_auth_ntlm_winbind +# or: +# wget -r -nH --cur-dirs=3 ftp://ftp.samba.org/pub/unpacked/lorikeet/mod_auth_ntlm_winbind +# then: +# tar -cvf - mod_auth_ntlm_winbind/ | gzip -c -9 > mod_ntlm_winbind-VERSION-SVN.tar.gz +# +Source0: mod_auth_ntlm_winbind-%{version}-%{svn}.tar.gz + +Source1: auth_ntlm_winbind.conf + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: httpd-devel >= 2.0.40, autoconf +Requires: httpd >= 2.0.40 +Requires: httpd-mmn = %(cat %{_includedir}/httpd/.mmn || echo missing) +# requires samba-common for /usr/bin/ntlm_auth ... +Requires: samba-common +Requires(post): shadow-utils + +Patch0: mod_auth_ntlm_winbind-20060510-connect_http10.patch +Patch1: mod_auth_ntlm_winbind-20070129-64bit.patch + + +%description +The %{name} module allows authentication and authorisation over +the Web against a Windows NT/AD domain controllers, using Samba on the same +machine Apache is running on. +It uses "ntlm_auth" helper utility to operate with local winbindd(8) daemon, +which are standard parts of the Samba distribution. + +The same way Squid does NTLM authentication now. + + +%prep +%setup -q -n mod_auth_ntlm_winbind +%patch0 -p1 +%patch1 -p1 +autoconf + + +%build +%configure + +# %{?_smp_mflags} is not needed -- only one file compiled +make + + +%install +rm -rf $RPM_BUILD_ROOT + +mkdir -p $RPM_BUILD_ROOT%{moddir} +make install DESTDIR=$RPM_BUILD_ROOT + +# Install the config file +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d +install -m644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d + + +%clean +rm -rf $RPM_BUILD_ROOT + + +%post +/usr/sbin/usermod -a -G wbpriv apache >/dev/null 2>&1 || : + + +%files +%defattr(-,root,root,-) +%{moddir}/* +%config(noreplace) %{_sysconfdir}/httpd/conf.d/* +%doc AUTHORS README + + +%changelog +* Wed Mar 28 2012 Remi Collet <RPMS@FamilleCollet.com> 0.0.0-0.13.20070129svn713 +- rebuild for remi repo and httpd 2.4 + +* Tue Mar 27 2012 Dmitry Butskoy <Dmitry@Butskoy.name> 0.0.0-0.13.20070129svn713 +- Rebuilt for new httpd + +* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.0.0-0.12.20070129svn713 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.0.0-0.11.20070129svn713 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.0.0-0.10.20070129svn713 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.0.0-0.9.20070129svn713 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Fri Apr 4 2008 Dmitry Butskoy <Dmitry@Butskoy.name> 0.0.0-0.8.20070129svn713 +- note in config that Apache's "KeepAlive" must be "On" (#440446) + +* Mon Feb 18 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 0.0.0-0.7.20070129svn713 +- Autorebuild for GCC 4.3 + +* Wed Aug 29 2007 Fedora Release Engineering <rel-eng at fedoraproject dot org> - 0.0.0-0.6.20070129svn713 +- Rebuild for selinux ppc32 issue. + +* Fri Aug 17 2007 Dmitry Butskoy <Dmitry@Butskoy.name> +- Change License tag to "ASL 2.0" + +* Fri Jun 22 2007 Dmitry Butskoy <Dmitry@Butskoy.name> 0.0.0-0.5.20070129svn713 +- avoid gcc warnings on 64 bit systems + +* Wed Jun 20 2007 Dmitry Butskoy <Dmitry@Butskoy.name> 0.0.0-0.2.20070129svn713 +- spec file cleanup +- accepted for Fedora (review by Jason Tibbitts <tibbs@math.uh.edu>) + +* Wed Jun 13 2007 Dmitry Butskoy <Dmitry@Butskoy.name> 0.0.0-0.1.20070129svn713 +- change release field properly + +* Mon Mar 26 2007 Dmitry Butskoy <Dmitry@Butskoy.name> 0.0.0-0.svn713.1 +- update to svn release 713 +- special winbind's group is named "wbpriv" now + +* Thu Dec 21 2006 Dmitry Butskoy <Dmitry@Butskoy.name> 0.0.0-0.svn692.1 +- new initial release (svn version r692) +- add workaround patch for "CONNECT HTTP/1.0" proxy issue +- add post script for access to winbind's socket directory + |