- Add OPTION to use Kerberos from the base system instead of requiring the port

- Add OPTION to apply a patch that allows one to specify the keytab location/SPN when using rlm_krb5
- Do not bump PORTREVISION

net/freeradius2/Makefile

@@ -25,11 +25,8 @@ LICENSE=	GPLv2
 
 LIB_DEPENDS=	gdbm.4:${PORTSDIR}/databases/gdbm
 
-USE_GMAKE=	yes
-
-USE_BZIP2=	yes
-
 LOGDIR?=	/var/log
+KRB5_CONFIG?=	/usr/bin/krb5-config --libs
 
 CONFLICTS=	gnu-radius-[0-9].* openradius-[0-9].* radiusd-cistron-[0-9].* \
 		freeradius-mysql-[0-9].* freeradius-[013-9].*
@@ -37,6 +34,7 @@ CONFLICTS=	gnu-radius-[0-9].* openradius-[0-9].* radiusd-cistron-[0-9].* \
 USE_RC_SUBR=	radiusd.sh
 USE_AUTOTOOLS=	libltdl libtool autoconf
 USE_GMAKE=	yes
+USE_BZIP2=	yes
 USE_OPENSSL=	yes
 MAKE_ARGS+=	LDFLAGS="-L${LOCALBASE}/lib ${PTHREAD_LIBS}"
 CFLAGS+=	-I${LOCALBASE}/include -L${LOCALBASE}/lib
@@ -47,6 +45,8 @@ PLIST_SUB=	PORTVERSION=${DISTVERSION}
 OPTIONS=	USER		"Run as user freeradius, group freeradius" on \
 		KERBEROS	"With Kerberos support" off \
 		HEIMDAL		"With Heimdal Kerberos support" off \
+		HEIMDAL_PORT	"Use Heimdal Kerberos from ports" off \
+		HEIMDAL_PATCH	"Enhanced Heimdal support (specify SPN/keytab)" off \
 		LDAP		"With LDAP database support" off \
 		MYSQL		"With MySQL database support" off \
 		PGSQL		"With PostgreSQL database support" off \
@@ -86,20 +86,33 @@ WITH_KERBEROS=	yes
 
 .ifdef(WITH_KERBEROS)
 .ifdef(WITH_HEIMDAL)
+.ifdef(WITH_HEIMDAL_PORT)
 LIB_DEPENDS+=	krb5.26:${PORTSDIR}/security/heimdal
+.endif
 CONFIGURE_ARGS+=--enable-heimdal-krb5
 .else
 LIB_DEPENDS+=	krb5.3:${PORTSDIR}/security/krb5
 .endif
 CONFIGURE_ARGS+=--with-rlm_krb5
+.if defined (WITH_HEIMDAL) && !defined(WITH_HEIMDAL_PORT)
+CONFIGURE_ARGS+=--with-rlm-krb5-lib-dir=/usr/lib
+CONFIGURE_ARGS+=--with-rlm-krb5-include-dir=/usr/include
+CONFIGURE_ENV+=	KRB5LIBS="$$(${KRB5_CONFIG})"
+.else
 CONFIGURE_ARGS+=--with-rlm-krb5-lib-dir=${LOCALBASE}/lib
 CONFIGURE_ARGS+=--with-rlm-krb5-include-dir=${LOCALBASE}/include
+.endif
 PLIST_SUB+=	KRB5=""
 .else
 CONFIGURE_ARGS+=--without-rlm_krb5
 PLIST_SUB+=	KRB5="@comment "
 .endif
 
+# Patch rlm_krb5.c to add Heimdal support for specifying keytab+SPN
+.ifdef(WITH_HEIMDAL_PATCH)
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-src__modules__rlm_krb5__rlm_krb5.c
+.endif
+
 .ifdef(WITH_LDAP)
 USE_OPENLDAP=	YES
 CONFIGURE_ARGS+=--with-rlm_ldap
@@ -333,6 +346,12 @@ post-patch:
 	@${FIND} -E ${WRKSRC}/raddb/certs \
 		-regex '.*/(bootstrap|Makefile)\.(orig|bak)$$' \
 		-delete
+# If we're using Heimdal from base, alter the LIBS variable
+.if defined(WITH_HEIMDAL) && !defined(WITH_HEIMDAL_PORT)
+	@${REINPLACE_CMD} -e 's|LIBS|KRB5LIBS|g' ${WRKSRC}/src/modules/rlm_krb5/configure
+	@${REINPLACE_CMD} -e 's|-lkrb5|$$(${KRB5_CONFIG})|g' \
+		${WRKSRC}/src/modules/rlm_krb5/configure
+.endif
 # If DHCPis enabled, enable the DHCP dictionary
 .ifdef(WITH_DHCP)
 	@${REINPLACE_CMD} -Ee 's:^#(.+ dictionary\.dhcp)$$:\1:g' \

net/freeradius2/files/extra-patch-src__modules__rlm_krb5__rlm_krb5.c

@@ -0,0 +1,131 @@
+--- ./src/modules/rlm_krb5/rlm_krb5.c.orig	2011-09-30 10:12:07.000000000 -0400
++++ ./src/modules/rlm_krb5/rlm_krb5.c	2012-01-29 12:06:04.000000000 -0500
+@@ -322,16 +322,41 @@
+ #else /* HEIMDAL_KRB5 */
+ 
+ /* validate user/pass, heimdal krb5 way */
+-static int krb5_auth(void *instance, REQUEST *request)
++static int krb5_auth(rlm_krb5_t *instance, REQUEST *request)
+ {
+ 	int r;
+-	krb5_error_code ret;
++	krb5_error_code ret, ret2;
+ 	krb5_ccache id;
+ 	krb5_principal userP;
+ 
+ 	krb5_context context = *((rlm_krb5_t *)instance)->context; /* copy data */
+ 	const char *user, *pass;
+ 
++	/* arbitrary 64-byte limit on service names; I've never seen a
++	   service name this long, and hope never to. -srl */
++	/* stolen from the above mit kerb stuff -- kula */
++
++	char service[64] = "host";
++	char *servername = NULL;
++	char *princ_name;
++
++	krb5_verify_opt krb_verify_options;
++	krb5_keytab keytab;
++
++	if (instance->service_princ != NULL) {
++		servername = strchr(instance->service_princ, '/');
++		if (servername != NULL) {
++			*servername = '\0';
++		}
++
++		strncpy(service,instance->service_princ,sizeof(service));
++		service[sizeof(service)-1] = '\0';
++		if (servername != NULL) {
++			*servername = '/';
++			servername++;
++		}
++	}
++
+ 	/*
+ 	 *	We can only authenticate user requests which HAVE
+ 	 *	a User-Name attribute.
+@@ -374,26 +399,70 @@
+ 	/*
+ 	 * Heimdal krb5 verification
+ 	 */
+-	radlog(L_AUTH, "rlm_krb5: Parsed name is: %s@%s\n",
+-	       *userP->name.name_string.val,
+-	       userP->realm);
++
++
++	/*
++	 *  The following bit allows us to also log user/instance@REALM if someone
++	 *  logs in using an instance
++	 */
++
++	ret = krb5_unparse_name(context, userP, &princ_name);
++	if ( ret != 0 ) {
++		radlog(L_AUTH, "rlm_krb5: krb5_unparse_name unparsable name\n");
++	} else {
++		radlog(L_AUTH, "rlm_krb5: Parsed name is: %s\n", princ_name);
++		free(princ_name);
++	}
+ 
+ 	krb5_cc_default(context, &id);
+ 
+-	ret = krb5_verify_user(context,
+-			       userP,
+-			       id,
+-			       pass, 1, "radius");
++        /* Set up krb5_verify_user options */
++        krb5_verify_opt_init(&krb_verify_options);
+ 
+-       if (ret == 0)
+-	 return RLM_MODULE_OK;
++        krb5_verify_opt_set_ccache(&krb_verify_options, id);
+ 
+-       radlog(L_AUTH, "rlm_krb5: failed verify_user: %s (%s@%s )",
+-	      error_message(ret),
+-	      *userP->name.name_string.val,
+-	      userP->realm);
++        /*
++	 *  Resolve keytab name. This allows us to use something other than
++	 *  the default system keytab
++	 */
+ 
+-       return RLM_MODULE_REJECT;
++	if (instance->keytab != NULL)
++	{
++		ret = krb5_kt_resolve(context, instance->keytab, &keytab);
++
++		if ( ret )
++		{
++			radlog(L_AUTH, "rlm_krb: unable to resolve keytab %s: %s",
++			       instance->keytab, error_message(ret));
++			krb5_kt_close(context, keytab);
++			return RLM_MODULE_REJECT;
++		}
++		krb5_verify_opt_set_keytab(&krb_verify_options, keytab);
++	}
++
++	/* Verify aquired credentials against the keytab */
++
++	krb5_verify_opt_set_secure(&krb_verify_options, 1);
++
++	/* Allow us to use an arbitrary service name */
++
++        krb5_verify_opt_set_service(&krb_verify_options, service);
++
++	/* Verify the user, using the above set options */
++	ret = krb5_verify_user_opt(context, userP, pass, &krb_verify_options);
++
++	/* We are done with the keytab, close it */
++        ret2 =  krb5_kt_close(context, keytab);
++
++	if (ret == 0)
++		return RLM_MODULE_OK;
++
++	radlog(L_AUTH, "rlm_krb5: failed verify_user: %s (%s@%s )",
++	       error_message(ret),
++	       *userP->name.name_string.val,
++	       userP->realm);
++
++	return RLM_MODULE_REJECT;
+ }
+ 
+ #endif /* HEIMDAL_KRB5 */