WIP for Issue #62

[simo5]

No description provided.

[iboukris]

I get segfault with "GssapiNameAttributes json" configuration.
I'm testing negotiate/krb with MS AD 2k3 so 'urn:mspac' should be there i guess.

Program received signal SIGSEGV, Segmentation fault.
apr_table_set (t=0x80233e88, key=0x0, val=0x80237630 "(null)") at tables/apr_tables.c:509
509         COMPUTE_KEY_CHECKSUM(key, checksum);
(gdb) bt
#0  apr_table_set (t=0x80233e88, key=0x0, val=0x80237630 "(null)") at tables/apr_tables.c:509
#1  0xb699237e in mag_set_env_name_attr (req=<optimized out>, req=<optimized out>, attr=0xbffff010) at environ.c:41
#2  mag_set_name_attributes (cfg=0x801194e0, displayname=0x80236ea0 "avi@FRENCHE.CP", name=0x8024e788, req=0x802338f8)
    at environ.c:155
#3  mag_set_environ (cfg=cfg@entry=0x801194e0, req=req@entry=0x802338f8, name=0x8024e788,
    clientname=clientname@entry=0x80236ea0 "avi@FRENCHE.CP", expiration=expiration@entry=1449039945) at environ.c:186
#4  0xb698f339 in mag_auth (req=0x802338f8) at mod_auth_gssapi.c:940
#5  0x80030a26 in ap_run_check_user_id (r=r@entry=0x802338f8) at request.c:81
#6  0x800344ac in ap_process_request_internal (r=r@entry=0x802338f8) at request.c:273
#7  0x80054978 in ap_process_async_request (r=r@entry=0x802338f8) at http_request.c:336
#8  0x80054b12 in ap_process_request (r=r@entry=0x802338f8) at http_request.c:373
#9  0x800506f6 in ap_process_http_sync_connection (c=0x8021f570) at http_core.c:210
#10 ap_process_http_connection (c=0x8021f570) at http_core.c:251
#11 0x80047226 in ap_run_process_connection (c=0x8021f570) at connection.c:41
#12 0x800476ef in ap_process_connection (c=c@entry=0x8021f570, csd=0x8021f3d8) at connection.c:213
#13 0xb76adecb in child_main (child_num_arg=child_num_arg@entry=0) at prefork.c:707
#14 0xb76ae115 in make_child (s=0x800a8e08, slot=slot@entry=0) at prefork.c:749
#15 0xb76af091 in prefork_run (_pconf=0x800840c8, plog=0x800aa9c0, s=0x800a8e08) at prefork.c:966
#16 0x8001df0e in ap_run_mpm (pconf=0x800840c8, plog=0x800aa9c0, s=0x800a8e08) at mpm_common.c:94
#17 0x8001633b in main (argc=2, argv=0xbffff724) at main.c:777

[iboukris]

This stops the crash but not necessarily correct.

diff --git a/src/environ.c b/src/environ.c
index 1c04c43..dfc30b7 100644
--- a/src/environ.c
+++ b/src/environ.c
@@ -152,7 +152,7 @@ static void mag_set_name_attributes(struct mag_config *cfg, request_rec *req,
             if (cfg->name_attributes->output_json) {
                 mag_add_json_name_attr(req, i == 0, &attr, &json);
             }
-            mag_set_env_name_attr(req, &attr);
+            if (cfg->name_attributes->map_count) mag_set_env_name_attr(req, &attr);

             gss_release_buffer(&min, &attr.value);
             gss_release_buffer(&min, &attr.display_value);

[iboukris]

And btw that's the json i get (I thought I'd see the name of the attribute).

{"name":"avi@FRENCHE.CP","attributes":{,("BAAAAAAAAAABAAAAAAIAAEgAAAAAAAAACgAAABAAAABIAgAAAAAAAAYAAAAUAAAAWAIAAAAAAAAHAAAAFAAAAHACAAAAAAAAARAIAMzMzMzwAQAAAAAAAAAAAgAcofoAfCzRAf////////9//////////38u9aEU8T/QAS61Cz+6QNAB/////////38GAAYABAACAAYABgAIAAIAAAAAAAwAAgAAAAAAEAACAAAAAAAUAAIAAAAAABgAAgCxAQAAWAQAAAECAAADAAAAHAACACAAAAAAAAAAAAAAAAAAAAAAAAAABAAGACAAAgAOABAAJAACACgAAgAAAAAAAAAAABACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAACwAAgAAAAAAAAAAAAAAAAADAAAAAAAAAAMAAABhAHYAaQAAAAMAAAAAAAAAAwAAAGEAdgBpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAGYEAAAHAAAAAQIAAAcAAAB7BAAABwAAAAMAAAAAAAAAAgAAAE0AUwAIAAAAAAAAAAcAAABGAFIARQBOAEMASABFAAAABAAAAAEEAAAAAAAFFQAAAB6jRAlKgY3PAV2JqQIAAAAwAAIABwAAIDQAAgAHAAAgBQAAAAEFAAAAAAAFFQAAAB6jRAlKgY3PAV2JqXoEAAAFAAAAAQUAAAAAAAUVAAAAHqNECUqBjc8BXYmpVgQAAAAAAACAWnELfCzRAQYAYQB2AGkAdv///wB0e7Y3BJ5s+Xmx+PeyAKkAAAAAdv///1urMv/BRy09Yosvns58OEEAAAAA","(null)")]],("ARAIAMzMzMzwAQAAAAAAAAAAAgAcofoAfCzRAf////////9//////////38u9aEU8T/QAS61Cz+6QNAB/////////38GAAYABAACAAYABgAIAAIAAAAAAAwAAgAAAAAAEAACAAAAAAAUAAIAAAAAABgAAgCxAQAAWAQAAAECAAADAAAAHAACACAAAAAAAAAAAAAAAAAAAAAAAAAABAAGACAAAgAOABAAJAACACgAAgAAAAAAAAAAABACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAACwAAgAAAAAAAAAAAAAAAAADAAAAAAAAAAMAAABhAHYAaQAAAAMAAAAAAAAAAwAAAGEAdgBpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAGYEAAAHAAAAAQIAAAcAAAB7BAAABwAAAAMAAAAAAAAAAgAAAE0AUwAIAAAAAAAAAAcAAABGAFIARQBOAEMASABFAAAABAAAAAEEAAAAAAAFFQAAAB6jRAlKgY3PAV2JqQIAAAAwAAIABwAAIDQAAgAHAAAgBQAAAAEFAAAAAAAFFQAAAB6jRAlKgY3PAV2JqXoEAAAFAAAAAQUAAAAAAAUVAAAAHqNECUqBjc8BXYmpVgQAAAAAAAA=","(null)")]],("gFpxC3ws0QEGAGEAdgBpAA==","(null)")]],("dv///wB0e7Y3BJ5s+Xmx+PeyAKk=","(null)")]],("dv///1urMv/BRy09Yosvns58OEE=","(null)")]]}}

[iboukris]

Also, when I try "GssapiNameAttributes GSS_MS_PAC urn:mspac:" i get:

[Wed Dec 02 00:23:53.443306 2015] [auth_gssapi:error] [pid 21169] Invalid Name Attributes value [GSS_MS_PAC].
[Wed Dec 02 00:23:53.444018 2015] [auth_gssapi:error] [pid 21169] Invalid Name Attributes value [urn:mspac:].
*** Error in `/usr/sbin/httpd': double free or corruption (!prev): 0x80100a40 ***
======= Backtrace: =========
/lib/libc.so.6(+0x6ce09)[0xb7af1e09]
/lib/libc.so.6(+0x74406)[0xb7af9406]
/lib/libc.so.6(cfree+0x56)[0xb7afd676]
/etc/httpd/modules/mod_auth_gssapi.so(+0x2e7c)[0xb698ce7c]
/lib/libapr-1.so.0(apr_pool_clear+0x7e)[0xb7c8e5fe]
/usr/sbin/httpd(main+0xb4c)[0x8001613c]
/lib/libc.so.6(__libc_start_main+0xde)[0xb7a9ce7e]
/usr/sbin/httpd(+0x164b6)[0x800164b6]

[simo5]

Ah silly me, I did not push to the right repo, I fixed this problem.
Let me rebase the github PR.

[simo5]

I should have fixed all the issues you have identified, and rebase this PR

[simo5]

I am reviving an AD environment of mine to test with the mspac attributes

[iboukris]

Now the json looks good:
{"name":"avi@FRENCHE.CP","attributes":{"urn:mspac:":[1,1,[("BAAAAAAAAAABAAAAAAIAAEgAAAAAAAAACgAAABAAAABIAgAAAAAAAAYAAAAUAAAAWAIAAAAAAAAHAAAAFAAAAHACAAAAAAAAARAIAMzMzMzwAQAAAAAAAAAAAgAcofoAfCzRAf////////9//////////38u9aEU8T/QAS61Cz+6QNAB/////////38GAAYABAACAAYABgAIAAIAAAAAAAwAAgAAAAAAEAACAAAAAAAUAAIAAAAAABgAAgCxAQAAWAQAAAECAAADAAAAHAACACAAAAAAAAAAAAAAAAAAAAAAAAAABAAGACAAAgAOABAAJAACACgAAgAAAAAAAAAAABACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAACwAAgAAAAAAAAAAAAAAAAADAAAAAAAAAAMAAABhAHYAaQAAAAMAAAAAAAAAAwAAAGEAdgBpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAGYEAAAHAAAAAQIAAAcAAAB7BAAABwAAAAMAAAAAAAAAAgAAAE0AUwAIAAAAAAAAAAcAAABGAFIARQBOAEMASABFAAAABAAAAAEEAAAAAAAFFQAAAB6jRAlKgY3PAV2JqQIAAAAwAAIABwAAIDQAAgAHAAAgBQAAAAEFAAAAAAAFFQAAAB6jRAlKgY3PAV2JqXoEAAAFAAAAAQUAAAAAAAUVAAAAHqNECUqBjc8BXYmpVgQAAAAAAACAWnELfCzRAQYAYQB2AGkAdv///wB0e7Y3BJ5s+Xmx+PeyAKkAAAAAdv///1urMv/BRy09Yosvns58OEEAAAAA","(null)")]],"urn:mspac:logon-info":[1,1,[("ARAIAMzMzMzwAQAAAAAAAAAAAgAcofoAfCzRAf////////9//////////38u9aEU8T/QAS61Cz+6QNAB/////////38GAAYABAACAAYABgAIAAIAAAAAAAwAAgAAAAAAEAACAAAAAAAUAAIAAAAAABgAAgCxAQAAWAQAAAECAAADAAAAHAACACAAAAAAAAAAAAAAAAAAAAAAAAAABAAGACAAAgAOABAAJAACACgAAgAAAAAAAAAAABACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAACwAAgAAAAAAAAAAAAAAAAADAAAAAAAAAAMAAABhAHYAaQAAAAMAAAAAAAAAAwAAAGEAdgBpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAGYEAAAHAAAAAQIAAAcAAAB7BAAABwAAAAMAAAAAAAAAAgAAAE0AUwAIAAAAAAAAAAcAAABGAFIARQBOAEMASABFAAAABAAAAAEEAAAAAAAFFQAAAB6jRAlKgY3PAV2JqQIAAAAwAAIABwAAIDQAAgAHAAAgBQAAAAEFAAAAAAAFFQAAAB6jRAlKgY3PAV2JqXoEAAAFAAAAAQUAAAAAAAUVAAAAHqNECUqBjc8BXYmpVgQAAAAAAAA=","(null)")]],"urn:mspac:client-info":[1,1,[("gFpxC3ws0QEGAGEAdgBpAA==","(null)")]],"urn:mspac:server-checksum":[1,1,[("dv///wB0e7Y3BJ5s+Xmx+PeyAKk=","(null)")]],"urn:mspac:privsvr-checksum":[1,1,[("dv///1urMv/BRy09Yosvns58OEE=","(null)")]]}}

But the two variables is configure are not set:
GssapiNameAttributes GSS_MS_PAC urn:mspac:
GssapiNameAttributes GSS_MS_PAC_CI urn:mspac:client-info
Gives:
GSS_MS_PAC: (null)
GSS_MS_PAC_CI: (null)

I'll test some more tomorrow.

[simo5]

I have an env now to reproduce, I think though this is normal because those mspac attributes do not have a display name (I am looking at MIT code and no display_name is ever returned for MSPAC attributes).

I guess I am going to make the code fall back to the raw value if display_name is NULL.

[simo5]

Ok now a b64 encoded raw value is returned if display_value is not available.

[simo5]

@Frenche I have all working now I think, if you can test and ack I'll push to master.

[iboukris]

Looks good.

Maybe we can give little more thoughts on the json format.
I want to test json_decode with php and see how it feels.

[simo5]

Ok, I am rewriting part if the patch to be able to preserve env vars when connection bound is set.
And potentially also when using a session if we use something else instead of a cookie in future and have more space.

[iboukris]

Looks like the round brackets aren't needed, json_decode and js-eval fail with them.

[iboukris]

Here's what i get what I would have liked to see (visual: http://json.parser.online.fr/).

Current:

{"name":"avi@FRENCHE.CP","attributes":{"urn:mspac:":[1,1,[("BAAAAAAAAAABAAAAAAIAAEgAAAAAAAAACgAAABAAAABIAgAAAAAAAAYAAAAUAAAAWAIAAAAAAAAHAAAAFAAAAHACAAAAAAAAARAIAMzMzMzwAQAAAAAAAAAAAgAirowLfCzRAf////////9//////////38u9aEU8T/QAS61Cz+6QNAB/////////38GAAYABAACAAYABgAIAAIAAAAAAAwAAgAAAAAAEAACAAAAAAAUAAIAAAAAABgAAgCyAQAAWAQAAAECAAADAAAAHAACACAAAAAAAAAAAAAAAAAAAAAAAAAABAAGACAAAgAOABAAJAACACgAAgAAAAAAAAAAABACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAACwAAgAAAAAAAAAAAAAAAAADAAAAAAAAAAMAAABhAHYAaQAAAAMAAAAAAAAAAwAAAGEAdgBpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAGYEAAAHAAAAAQIAAAcAAAB7BAAABwAAAAMAAAAAAAAAAgAAAE0AUwAIAAAAAAAAAAcAAABGAFIARQBOAEMASABFAAAABAAAAAEEAAAAAAAFFQAAAB6jRAlKgY3PAV2JqQIAAAAwAAIABwAAIDQAAgAHAAAgBQAAAAEFAAAAAAAFFQAAAB6jRAlKgY3PAV2JqXoEAAAFAAAAAQUAAAAAAAUVAAAAHqNECUqBjc8BXYmpVgQAAAAAAACA4Y8QMC3RAQYAYQB2AGkAdv///9RN+pmTXHB7X/OwDx1RXo0AAAAAdv///+XnjFDw2vhc6d6M2sxvjmsAAAAA","")]],"urn:mspac:logon-info":[1,1,[("ARAIAMzMzMzwAQAAAAAAAAAAAgAirowLfCzRAf////////9//////////38u9aEU8T/QAS61Cz+6QNAB/////////38GAAYABAACAAYABgAIAAIAAAAAAAwAAgAAAAAAEAACAAAAAAAUAAIAAAAAABgAAgCyAQAAWAQAAAECAAADAAAAHAACACAAAAAAAAAAAAAAAAAAAAAAAAAABAAGACAAAgAOABAAJAACACgAAgAAAAAAAAAAABACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAACwAAgAAAAAAAAAAAAAAAAADAAAAAAAAAAMAAABhAHYAaQAAAAMAAAAAAAAAAwAAAGEAdgBpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAGYEAAAHAAAAAQIAAAcAAAB7BAAABwAAAAMAAAAAAAAAAgAAAE0AUwAIAAAAAAAAAAcAAABGAFIARQBOAEMASABFAAAABAAAAAEEAAAAAAAFFQAAAB6jRAlKgY3PAV2JqQIAAAAwAAIABwAAIDQAAgAHAAAgBQAAAAEFAAAAAAAFFQAAAB6jRAlKgY3PAV2JqXoEAAAFAAAAAQUAAAAAAAUVAAAAHqNECUqBjc8BXYmpVgQAAAAAAAA=","")]],"urn:mspac:client-info":[1,1,[("gOGPEDAt0QEGAGEAdgBpAA==","")]],"urn:mspac:server-checksum":[1,1,[("dv///9RN+pmTXHB7X/OwDx1RXo0=","")]],"urn:mspac:privsvr-checksum":[1,1,[("dv///+XnjFDw2vhc6d6M2sxvjms=","")]]}}

Like:

{"name":"avi@FRENCHE.CP","attributes":{"urn:mspac:":{"authenticated":true, "complete":true,"display_value":null,"raw_value_b64":"BAAAAAAAAAABAAAAAAIAAEgAAAAAAAAACgAAABAAAABIAgAAAAAAAAYAAAAUAAAAWAIAAAAAAAAHAAAAFAAAAHACAAAAAAAAARAIAMzMzMzwAQAAAAAAAAAAAgAirowLfCzRAf////////9//////////38u9aEU8T/QAS61Cz+6QNAB/////////38GAAYABAACAAYABgAIAAIAAAAAAAwAAgAAAAAAEAACAAAAAAAUAAIAAAAAABgAAgCyAQAAWAQAAAECAAADAAAAHAACACAAAAAAAAAAAAAAAAAAAAAAAAAABAAGACAAAgAOABAAJAACACgAAgAAAAAAAAAAABACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAACwAAgAAAAAAAAAAAAAAAAADAAAAAAAAAAMAAABhAHYAaQAAAAMAAAAAAAAAAwAAAGEAdgBpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAGYEAAAHAAAAAQIAAAcAAAB7BAAABwAAAAMAAAAAAAAAAgAAAE0AUwAIAAAAAAAAAAcAAABGAFIARQBOAEMASABFAAAABAAAAAEEAAAAAAAFFQAAAB6jRAlKgY3PAV2JqQIAAAAwAAIABwAAIDQAAgAHAAAgBQAAAAEFAAAAAAAFFQAAAB6jRAlKgY3PAV2JqXoEAAAFAAAAAQUAAAAAAAUVAAAAHqNECUqBjc8BXYmpVgQAAAAAAACA4Y8QMC3RAQYAYQB2AGkAdv///9RN+pmTXHB7X/OwDx1RXo0AAAAAdv///+XnjFDw2vhc6d6M2sxvjmsAAAAA"},"urn:mspac:logon-info":{"authenticated":true,"complete":true,"display_value":null,"raw_value_b64":"ARAIAMzMzMzwAQAAAAAAAAAAAgAirowLfCzRAf////////9//////////38u9aEU8T/QAS61Cz+6QNAB/////////38GAAYABAACAAYABgAIAAIAAAAAAAwAAgAAAAAAEAACAAAAAAAUAAIAAAAAABgAAgCyAQAAWAQAAAECAAADAAAAHAACACAAAAAAAAAAAAAAAAAAAAAAAAAABAAGACAAAgAOABAAJAACACgAAgAAAAAAAAAAABACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAACwAAgAAAAAAAAAAAAAAAAADAAAAAAAAAAMAAABhAHYAaQAAAAMAAAAAAAAAAwAAAGEAdgBpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAGYEAAAHAAAAAQIAAAcAAAB7BAAABwAAAAMAAAAAAAAAAgAAAE0AUwAIAAAAAAAAAAcAAABGAFIARQBOAEMASABFAAAABAAAAAEEAAAAAAAFFQAAAB6jRAlKgY3PAV2JqQIAAAAwAAIABwAAIDQAAgAHAAAgBQAAAAEFAAAAAAAFFQAAAB6jRAlKgY3PAV2JqXoEAAAFAAAAAQUAAAAAAAUVAAAAHqNECUqBjc8BXYmpVgQAAAAAAAA="},"urn:mspac:client-info":{"authenticated":true,"complete":true,"display_value":null,"raw_value_b64":"gOGPEDAt0QEGAGEAdgBpAA=="},"urn:mspac:server-checksum":{"authenticated":true,"complete":true,"display_value":null,"raw_value_b64":"dv///9RN+pmTXHB7X/OwDx1RXo0="},"urn:mspac:privsvr-checksum":{"authenticated":true,"complete":true,"display_value":null,"raw_value_b64":"dv///+XnjFDw2vhc6d6M2sxvjms="}}}

[simo5]

I forgot that json does not have tuples, and you are supposed to turn them into lists.

Is null and actual valid value ?

The reason why I used a list of tuples is that name attribute may have multiple values, your syntax does not allow that. At least for values I will have a list of tuples (rendered as list), I can used a dictionary for the outer values like authenticated and complete.

[iboukris]

yea, null / true / false

I think a list of values could be represented as: "values":[null,"dv///9RN+pmTXHB7X/OwDx1RXo0="]

but how the app will distinguish between the display_value to the raw_b64 (isn't that what they are? could there be more values?)

[simo5]

Ok I changed the patches so that now we store attributes in the mc context.
I create a temporary one now in all cases, and export the environment from attributes store in this context.
The function that reads the name attributes puts them there.

It works with basica auth, could you test if it keeps working properly with Connection-bound ?

[simo5]

On Wed, 2015-12-02 at 15:49 -0800, Isaac Boukris wrote:

yea, null / true / false

I think a list of values could be represented as: "values":[null,"dv///9RN+pmTXHB7X/OwDx1RXo0="]

but how the app will distinguish between the display_value to the raw_b64 (isn't that what they are? could there be more values?)

the list will have to be:
"values":[["first_raw_value","first_display_value"],
["second_raw_value","second_display_value"], ...]

Yes name attributes can be multivalued.

Simo.

Simo Sorce * Red Hat, Inc * New York

[simo5]

@Frenche and now updated to a better json.
I tested that it loads in python with
import json
json.loads(json_output)

I had to use lists as mentioned above but I changed the attributes to use dictionaries and named boolean values for "authenticated" and "completed", as well as returning 'null' for empty values.

[iboukris]

@simo5 - it looks good but the app would still wanna know what type of value it looks at.

Perhaps instead of:
{"urn:mspac:privsvr-checksum":{"authenticated":true,"complete":true,"values":[["dv///6qczIWKWjBjcVHy35ZWpsA=",null]]}}

We can do (still allowing multiple values):
{"urn:mspac:privsvr-checksum":{"authenticated":true,"complete":true,"values":[{"display":null,"raw_b64":"dv///6qczIWKWjBjcVHy35ZWpsA="}]}

[simo5]

Ok I added a dict in the list as you proposed, the values are "display" and "raw", no need to specify b64 in the name IMO.

[iboukris]

It looks good to me.

One little thing though - it looks as if attributes may repeat themselves, like in ms-pac 'urn:mspac:' clearly contains the other ones.
So maybe we should let the admin to choose what he wants to get in the json format, something like:
GssapiNameAttributesJson [attr_a attr_b | all]

[iboukris]

BTW the JSON idea is really nice, maybe we can take it a step further and extract (ndr decode) the KERB_VALIDATION_INFO struct into a json class (and perhaps other goodies).

Imagine we reveal all this info nicely to the app:
https://msdn.microsoft.com/en-gb/library/cc237948.aspx

[simo5]

I'll take the last 2 messages as an ack :-)
On json, I do not want to make it more complex. if the application is interested only in one attribute they should explictly ask the attribute and not the json format.

On unfolding MSPAC, that is a request for the display_value (ie RFE for MIT kerberos/Heimdal) and not the mod_auth_gssapi job IMHO. In any case this is somehitng we can discuss in a separate RFE.

[iboukris]

Thanks for the clarifications!