diff --git a/SOURCES/Add-ability-to-expose-the-used-mechanism.patch b/SOURCES/Add-ability-to-expose-the-used-mechanism.patch
new file mode 100644
index 0000000..0352af8
--- /dev/null
+++ b/SOURCES/Add-ability-to-expose-the-used-mechanism.patch
@@ -0,0 +1,262 @@
+From 46caec4def9fd8df21e560db065b755e1d87354d Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Fri, 6 May 2022 22:54:45 +0200
+Subject: [PATCH 1/2] Add-ability-to-expose-the-used-mechanism.patch
+
+---
+ README | 15 +++++++++++++++
+ src/environ.c | 39 +++++++++++++++++++++++++++++++++++++++
+ src/environ.h | 2 ++
+ src/mod_auth_gssapi.c | 7 +++++++
+ src/mod_auth_gssapi.h | 1 +
+ tests/Makefile.am | 4 +++-
+ tests/httpd.conf | 15 +++++++++++++++
+ tests/magtests.py | 18 ++++++++++++++++++
+ tests/mech.html | 1 +
+ tests/t_mech_name.py | 19 +++++++++++++++++++
+ 10 files changed, 120 insertions(+), 1 deletion(-)
+ create mode 100644 tests/mech.html
+ create mode 100755 tests/t_mech_name.py
+
+diff --git a/README b/README
+index 654a8918cc1cd078d84b8e571596444e262e83af..bbf2657d47c9b111e20fdc2b76fde8799c76e3cd 100644
+--- a/README
++++ b/README
+@@ -109,6 +109,7 @@ Configuration Directives
+ [GssapiNameAttributes](#gssapinameattributes)<br>
+ [GssapiNegotiateOnce](#gssapinegotiateonce)<br>
+ [GssapiPublishErrors](#gssapipublisherrors)<br>
++[GssapiPublishMech](#gssapipublishmech)<br>
+ [GssapiRequiredNameAttributes](#gssapirequirednameattributes)<br>
+ [GssapiSessionKey](#gssapisessionkey)<br>
+ [GssapiSignalPersistentAuth](#gssapisignalpersistentauth)<br>
+@@ -527,3 +528,17 @@ Note: the value is specified in seconds.
+ Sets ticket/session validity to 10 hours.
+
+
++### GssapiPublishMech
++
++This option is used to publish the mech used for authentication as an
++Environment variable named GSS_MECH.
++
++It will return a string of the form 'Authtype/Mechname'.
++Authtype represents the type of auth performed by the module. Possible values
++are 'Basic', 'Negotiate', 'NTLM', 'Impersonate'.
++Mechname is the name of the mechanism as reported by GSSAPI or the OID of the
++mechanism if a name is not available. In case of errors the 'Unavailable'
++string may also be returned for either Authtype or Mechname.
++
++- **Enable with:** GssapiPublishMech On
++- **Default:** GssapiPublishMech Off
+\ No newline at end of file
+diff --git a/src/environ.c b/src/environ.c
+index 7ee56a1ba434d5c1041968fb3f64191340cb0ea7..71a8564284cafa62c4cbeaf7ab8484a48c064e66 100644
+--- a/src/environ.c
++++ b/src/environ.c
+@@ -498,3 +498,42 @@ void mag_publish_error(request_rec *req, uint32_t maj, uint32_t min,
+ if (mag_err)
+ apr_table_set(req->subprocess_env, "MAG_ERROR", mag_err);
+ }
++
++
++void mag_publish_mech(request_rec *req, struct mag_conn *mc,
++ const char *auth_type, gss_OID mech_type)
++{
++ gss_buffer_desc sasl_mech_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc mech_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc mech_description = GSS_C_EMPTY_BUFFER;
++ char *mechdata;
++ uint32_t maj, min;
++
++ maj = gss_inquire_saslname_for_mech(&min, mech_type, &sasl_mech_name,
++ &mech_name, &mech_description);
++ if (maj != GSS_S_COMPLETE) {
++ /* something failed, let's try to get a string OID */
++ /* and if that fails there is nothing we can do */
++ maj = gss_oid_to_str(&min, mech_type, &mech_name);
++ if (maj != GSS_S_COMPLETE) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
++ "Failed to source mechanism name or OID");
++ mech_name.value = strdup("Unavailable");
++ mech_name.length = strlen(mech_name.value);
++ }
++ }
++
++ mechdata = apr_psprintf(req->pool, "%s/%.*s", auth_type,
++ (int)mech_name.length,
++ (char *)mech_name.value);
++
++ apr_table_set(mc->env, "GSS_MECH", mechdata);
++
++ /* also log at info level */
++ ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, req,
++ "User %s authenticated with %s", mc->gss_name, mechdata);
++
++ (void)gss_release_buffer(&min, &sasl_mech_name);
++ (void)gss_release_buffer(&min, &mech_name);
++ (void)gss_release_buffer(&min, &mech_description);
++}
+diff --git a/src/environ.h b/src/environ.h
+index 40bca9877f600246d19a3bf4be370310636ce6c7..b0813da6508df7c5594b51cada7712dc44393e44 100644
+--- a/src/environ.h
++++ b/src/environ.h
+@@ -18,3 +18,5 @@ void mag_publish_error(request_rec *req, uint32_t maj, uint32_t min,
+ const char *gss_err, const char *mag_err);
+ void mag_set_req_attr_fail(request_rec *req, struct mag_config *cfg,
+ struct mag_conn *mc);
++void mag_publish_mech(request_rec *req, struct mag_conn *mc,
++ const char *auth_type, gss_OID mech_type);
+diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
+index c91aa60707ba9b237a84f95670d483f1a7eab86b..93c43308585cf140297de82e118a367f69d25a92 100644
+--- a/src/mod_auth_gssapi.c
++++ b/src/mod_auth_gssapi.c
+@@ -1289,6 +1289,10 @@ static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
+ mc->user_name = apr_pstrdup(mc->pool, mc->gss_name);
+ }
+
++ if (cfg->pubmech) {
++ mag_publish_mech(req, mc, mag_str_auth_type(mc->auth_type), mech_type);
++ }
++
+ mc->established = true;
+ if (req_cfg->use_sessions) {
+ mag_attempt_session(req_cfg, mc);
+@@ -1894,6 +1898,9 @@ static const command_rec mag_commands[] = {
+ AP_INIT_FLAG("GssapiPublishErrors", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(struct mag_config, enverrs), OR_AUTHCFG,
+ "Publish GSSAPI Errors in Envionment Variables"),
++ AP_INIT_FLAG("GssapiPublishMech", ap_set_flag_slot,
++ (void *)APR_OFFSETOF(struct mag_config, pubmech), OR_AUTHCFG,
++ "Publish GSSAPI Mech Name in Envionment Variables"),
+ AP_INIT_RAW_ARGS("GssapiAcceptorName", mag_acceptor_name, NULL, OR_AUTHCFG,
+ "Name of the acceptor credentials."),
+ AP_INIT_TAKE1("GssapiBasicTicketTimeout", mag_basic_timeout, NULL,
+diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h
+index 2312ab57f4b2e0bd50f191018b081a3ecb86f15a..8ab3bdc57be793cc493176c02910219e905900e9 100644
+--- a/src/mod_auth_gssapi.h
++++ b/src/mod_auth_gssapi.h
+@@ -91,6 +91,7 @@ struct mag_config {
+ struct mag_name_attributes *name_attributes;
+ const char *required_na_expr;
+ int enverrs;
++ int pubmech;
+ gss_name_t acceptor_name;
+ bool acceptor_name_from_req;
+ uint32_t basic_timeout;
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index c830e951d04316e4cbc76fa3b5961baedb516ec6..2ddb46ea30e6ebf9ff0b30278c609178d02c1efc 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -6,14 +6,16 @@ EXTRA_DIST = \
+ index.html \
+ localname.html \
+ magtests.py \
++ mech.html \
+ t_bad_acceptor_name.py \
+ t_basic_k5_fail_second.py \
+ t_basic_k5.py \
+ t_basic_k5_two_users.py \
+ t_basic_proxy.py \
+ t_basic_timeout.py \
+- t_localname.py \
+ t_hostname_acceptor.py \
++ t_localname.py \
++ t_mech_name.py \
+ t_nonego.py \
+ t_required_name_attr.py \
+ t_spnego_negotiate_once.py \
+diff --git a/tests/httpd.conf b/tests/httpd.conf
+index b3777574d9f0547560f24eff992fc1018569b5cc..775294b7d600e82c3955316a2d5b667c8b3c5581 100644
+--- a/tests/httpd.conf
++++ b/tests/httpd.conf
+@@ -331,3 +331,18 @@ CoreDumpDirectory "{HTTPROOT}"
+ GssapiSessionKey file:{HTTPROOT}/session.key
+ Require valid-user
+ </Location>
++
++<Location /mech_name>
++ Options +Includes
++ AddOutputFilter INCLUDES .html
++ AuthType GSSAPI
++ AuthName "Password Login"
++ GssapiSSLonly Off
++ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
++ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
++ GssapiCredStore keytab:{HTTPROOT}/http.keytab
++ GssapiBasicAuth On
++ GssapiBasicAuthMech krb5
++ GssapiPublishMech On
++ Require valid-user
++</Location>
+\ No newline at end of file
+diff --git a/tests/magtests.py b/tests/magtests.py
+index d100413b371e7ecf4e09d944b7ff6e9bec7e316f..9aba68f826a37a890bfefb62665697eef7d07dfa 100755
+--- a/tests/magtests.py
++++ b/tests/magtests.py
+@@ -786,6 +786,22 @@ def test_gss_localname(testdir, testenv, logfile):
+ return error_count
+
+
++def test_mech_name(testdir, testenv, logfile):
++ basicdir = os.path.join(testdir, 'httpd', 'html', 'mech_name')
++ os.mkdir(basicdir)
++ shutil.copy('tests/mech.html', basicdir)
++
++ mname = subprocess.Popen(["tests/t_mech_name.py"],
++ stdout=logfile, stderr=logfile,
++ env=testenv, preexec_fn=os.setsid)
++ mname.wait()
++ if mname.returncode != 0:
++ sys.stderr.write('MECH-NAME: FAILED\n')
++ return 1
++ sys.stderr.write('MECH-NAME: SUCCESS\n')
++ return 0
++
++
+ if __name__ == '__main__':
+ args = parse_args()
+
+@@ -847,6 +863,8 @@ if __name__ == '__main__':
+
+ errs += test_no_negotiate(testdir, testenv, logfile)
+
++ errs += test_mech_name(testdir, testenv, logfile)
++
+ # After this point we need to speed up httpd to test creds timeout
+ try:
+ fakeenv = faketime_setup(kdcenv)
+diff --git a/tests/mech.html b/tests/mech.html
+new file mode 100644
+index 0000000000000000000000000000000000000000..bb7b3cd5278f055e278a7dfde73c15aa400a6a17
+--- /dev/null
++++ b/tests/mech.html
+@@ -0,0 +1 @@
++<!--#echo var="GSS_MECH" -->
+diff --git a/tests/t_mech_name.py b/tests/t_mech_name.py
+new file mode 100755
+index 0000000000000000000000000000000000000000..69f451f2bbe58a16f61418f96eca26e7994bcb8a
+--- /dev/null
++++ b/tests/t_mech_name.py
+@@ -0,0 +1,19 @@
++#!/usr/bin/env python3
++# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
++
++import os
++import requests
++from requests.auth import HTTPBasicAuth
++
++
++if __name__ == '__main__':
++ url = 'http://%s/mech_name/mech.html' % os.environ['NSS_WRAPPER_HOSTNAME']
++ r = requests.get(url, auth=HTTPBasicAuth(os.environ['MAG_USER_NAME'],
++ os.environ['MAG_USER_PASSWORD']))
++ if r.status_code != 200:
++ raise ValueError('Basic Auth Failed')
++
++ if r.text.rstrip() != 'Basic/krb5':
++ raise ValueError(
++ 'GSS_MECH check failed, expected Basic/krb5, got "%s"' %
++ r.text.rstrip())
+--
+2.35.3
+
diff --git a/SOURCES/Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch b/SOURCES/Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch
new file mode 100644
index 0000000..51d381f
--- /dev/null
+++ b/SOURCES/Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch
@@ -0,0 +1,42 @@
+From 2b96860d8cfcf48a54e59e2ca30fc8fdeb2b9d55 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Fri, 6 May 2022 22:54:45 +0200
+Subject: [PATCH 2/2]
+ Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch
+
+---
+ tests/t_localname.py | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/tests/t_localname.py b/tests/t_localname.py
+index e990762c42aa9b370ac71292b5019fc63622c240..df94922b52673b5b7fd780ff3f319d22feb348ac 100755
+--- a/tests/t_localname.py
++++ b/tests/t_localname.py
+@@ -45,13 +45,22 @@ if __name__ == '__main__':
+
+ mech = None
+ if mech_name is not None:
+- mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name)
++ try:
++ mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name)
++ except AttributeError:
++ # older version of gssapi that does not support mechs
++ if mech_name == 'SPNEGO':
++ mech = '<Mechanism spnego (1.3.6.1.5.5.2)>'
++ elif mech_name == 'GS2-KRB5':
++ mech = '<Mechanism krb5 (1.2.840.113554.1.2.2)>'
++ else:
++ sys.exit(42) # SKIP
+
+ try:
+ auth = HTTPSPNEGOAuth(mech=mech)
+ use_requests(auth)
+ except TypeError:
+- # odler version of requests that does not support mechs
++ # older version of requests that does not support mechs
+ if mech_name == 'SPNEGO':
+ use_curl()
+ elif mech_name == 'GS2-KRB5':
+--
+2.35.3
+
diff --git a/SOURCES/Fix-gss_localname-with-SPNEGO-wrapping.patch b/SOURCES/Fix-gss_localname-with-SPNEGO-wrapping.patch
new file mode 100644
index 0000000..7b1c5de
--- /dev/null
+++ b/SOURCES/Fix-gss_localname-with-SPNEGO-wrapping.patch
@@ -0,0 +1,39 @@
+From 676ec5fe0b6c7c5126dbf84ef59ec4a5d5f87ede Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Tue, 26 Apr 2022 10:23:53 +0200
+Subject: [PATCH] Fix gss_localname with SPNEGO wrapping
+
+Fix implemented upstream by Simo
+---
+ src/mod_auth_gssapi.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
+index b0999737daedf88fa84a9d8b1543bbedc79194ab..c91aa60707ba9b237a84f95670d483f1a7eab86b 100644
+--- a/src/mod_auth_gssapi.c
++++ b/src/mod_auth_gssapi.c
+@@ -1264,7 +1264,21 @@ static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
+ #endif
+
+ if (cfg->map_to_local) {
++ /* We have to play heuristics here as gss_localname does not work
++ * as expected with SPNEGO-wrapped names.
++ * http://krbdev.mit.edu/rt/Ticket/Display.html?id=8782
++ */
+ maj = gss_localname(&min, client, mech_type, &lname);
++ if (maj != GSS_S_COMPLETE) {
++ uint32_t sub_maj, sub_min;
++ /* try fallback with no oid */
++ sub_maj = gss_localname(&sub_min, client, GSS_C_NO_OID, &lname);
++ if (sub_maj != GSS_S_UNAVAILABLE) {
++ /* use second call errors only if they are meaningful */
++ maj = sub_maj;
++ min = sub_min;
++ }
++ }
+ if (maj != GSS_S_COMPLETE) {
+ mag_post_error(req, cfg, MAG_GSS_ERR, maj, min,
+ "gss_localname() failed");
+--
+2.35.1
+
diff --git a/SOURCES/tests-add-test-for-gss_localname.patch b/SOURCES/tests-add-test-for-gss_localname.patch
new file mode 100644
index 0000000..ab97f87
--- /dev/null
+++ b/SOURCES/tests-add-test-for-gss_localname.patch
@@ -0,0 +1,194 @@
+From 0dbf450a49784e2a750c667824e0e0249be575e4 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 27 Apr 2022 18:18:22 +0200
+Subject: [PATCH] Add test for gss_localname
+
+Backport test for gss_localname implemented upstream by Simo
+---
+ tests/httpd.conf | 13 ++++++++++
+ tests/localname.html | 1 +
+ tests/magtests.py | 47 ++++++++++++++++++++++++++++++++-
+ tests/t_localname.py | 62 ++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 122 insertions(+), 1 deletion(-)
+ create mode 100644 tests/localname.html
+ create mode 100755 tests/t_localname.py
+
+diff --git a/tests/httpd.conf b/tests/httpd.conf
+index f76f2b671e02515e6d4effe09ab123dace90c023..b3777574d9f0547560f24eff992fc1018569b5cc 100644
+--- a/tests/httpd.conf
++++ b/tests/httpd.conf
+@@ -274,6 +274,19 @@ CoreDumpDirectory "{HTTPROOT}"
+ Require valid-user
+ </Location>
+
++<Location /gss_localname>
++ AuthType GSSAPI
++ AuthName "Login"
++ GssapiSSLonly Off
++ GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
++ GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
++ GssapiCredStore keytab:{HTTPROOT}/http.keytab
++ GssapiBasicAuth Off
++ GssapiAllowedMech krb5
++ GssapiLocalName On
++ Require valid-user
++</Location>
++
+ <VirtualHost *:{PROXYPORT}>
+ ProxyRequests On
+ ProxyVia On
+diff --git a/tests/localname.html b/tests/localname.html
+new file mode 100644
+index 0000000000000000000000000000000000000000..abf7c507de1eb32b31b882502eed5f2bbcc5fbf3
+--- /dev/null
++++ b/tests/localname.html
+@@ -0,0 +1 @@
++<!--#echo var="REMOTE_USER" -->
+diff --git a/tests/magtests.py b/tests/magtests.py
+index d0f0a67f075c6b631926e9abd91a665973d90f4a..d100413b371e7ecf4e09d944b7ff6e9bec7e316f 100755
+--- a/tests/magtests.py
++++ b/tests/magtests.py
+@@ -58,12 +58,20 @@ def setup_wrappers(base):
+ f.write('%s %s\n' % (WRAP_IPADDR, WRAP_ALIASNAME))
+ f.write('%s %s\n' % (WRAP_IPADDR, WRAP_FAILNAME))
+
++ passwd_file = os.path.join(testdir, 'passwd')
++ with open(passwd_file, 'w+') as f:
++ f.write('root:x:0:0:root:/root:/bin/sh')
++ f.write('maguser:x:1:1:maguser:/maguser:/bin/sh')
++ f.write('maguser2:x:2:2:maguser2:/maguser2:/bin/sh')
++ f.write('maguser3:x:3:3:maguser3:/maguser3:/bin/sh')
++
+ wenv = {'LD_PRELOAD': 'libsocket_wrapper.so libnss_wrapper.so',
+ 'SOCKET_WRAPPER_DIR': wrapdir,
+ 'SOCKET_WRAPPER_DEFAULT_IFACE': '9',
+ 'WRAP_PROXY_PORT': WRAP_PROXY_PORT,
+ 'NSS_WRAPPER_HOSTNAME': WRAP_HOSTNAME,
+- 'NSS_WRAPPER_HOSTS': hosts_file}
++ 'NSS_WRAPPER_HOSTS': hosts_file,
++ 'NSS_WRAPPER_PASSWD': passwd_file}
+ return wenv
+
+
+@@ -744,6 +752,40 @@ def http_restart(testdir, so_dir, testenv):
+ return httpproc
+
+
++def test_gss_localname(testdir, testenv, logfile):
++ hdir = os.path.join(testdir, 'httpd', 'html', 'gss_localname')
++ os.mkdir(hdir)
++ shutil.copy('tests/localname.html', os.path.join(hdir, 'index.html'))
++ error_count = 0
++
++ # Make sure spnego is explicitly tested
++ spnego = subprocess.Popen(["tests/t_localname.py", "SPNEGO"],
++ stdout=logfile, stderr=logfile,
++ env=testenv, preexec_fn=os.setsid)
++ spnego.wait()
++ if spnego.returncode != 0:
++ sys.stderr.write('LOCALNAME(SPNEGO): FAILED\n')
++ error_count += 1
++ else:
++ sys.stderr.write('LOCALNAME(SPNEGO): SUCCESS\n')
++
++ # and bare krb5 (GS2-KRB5 is the name used by SASL for it)
++ krb5 = subprocess.Popen(["tests/t_localname.py", "GS2-KRB5"],
++ stdout=logfile, stderr=logfile,
++ env=testenv, preexec_fn=os.setsid)
++ krb5.wait()
++ if krb5.returncode != 0:
++ if krb5.returncode == 42:
++ sys.stderr.write('LOCALNAME(KRB5): SKIPPED\n')
++ else:
++ sys.stderr.write('LOCALNAME(KRB5): FAILED\n')
++ error_count += 1
++ else:
++ sys.stderr.write('LOCALNAME(KRB5): SUCCESS\n')
++
++ return error_count
++
++
+ if __name__ == '__main__':
+ args = parse_args()
+
+@@ -781,6 +823,9 @@ if __name__ == '__main__':
+
+ errs += test_bad_acceptor_name(testdir, testenv, logfile)
+
++ testenv['MAG_REMOTE_USER'] = USR_NAME
++ errs += test_gss_localname(testdir, testenv, logfile)
++
+ rpm_path = "/usr/lib64/krb5/plugins/preauth/pkinit.so"
+ deb_path = "/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so"
+ if os.path.exists(rpm_path) or os.path.exists(deb_path):
+diff --git a/tests/t_localname.py b/tests/t_localname.py
+new file mode 100755
+index 0000000000000000000000000000000000000000..e990762c42aa9b370ac71292b5019fc63622c240
+--- /dev/null
++++ b/tests/t_localname.py
+@@ -0,0 +1,62 @@
++#!/usr/bin/env python3
++# Copyright (C) 2020 - mod_auth_gssapi contributors, see COPYING for license.
++
++import os
++import subprocess
++import sys
++
++import gssapi
++
++import requests
++
++from requests_gssapi import HTTPSPNEGOAuth
++
++
++def use_requests(auth):
++ sess = requests.Session()
++ url = 'http://%s/gss_localname/' % os.environ['NSS_WRAPPER_HOSTNAME']
++
++ r = sess.get(url, auth=auth)
++ if r.status_code != 200:
++ raise ValueError('Localname failed')
++
++ if r.text.rstrip() != os.environ['MAG_REMOTE_USER']:
++ raise ValueError('Localname, REMOTE_USER check failed')
++
++
++def use_curl():
++ url = 'http://%s/gss_localname/' % os.environ['NSS_WRAPPER_HOSTNAME']
++ curl = subprocess.Popen(["curl", "--negotiate", "-u:", url],
++ stdout=subprocess.PIPE)
++ curl.wait()
++ if curl.returncode != 0:
++ raise ValueError('Localname failed')
++
++ line = curl.stdout.read().strip(b' \t\n\r').decode('utf-8')
++ if line != os.environ['MAG_REMOTE_USER']:
++ raise ValueError('Localname, REMOTE_USER check failed (%s != %s)' % (
++ line, os.environ['MAG_REMOTE_USER']))
++
++
++if __name__ == '__main__':
++ mech_name = None
++ if len(sys.argv) > 1:
++ mech_name = sys.argv[1]
++
++ mech = None
++ if mech_name is not None:
++ mech = gssapi.mechs.Mechanism.from_sasl_name(mech_name)
++
++ try:
++ auth = HTTPSPNEGOAuth(mech=mech)
++ use_requests(auth)
++ except TypeError:
++ # odler version of requests that does not support mechs
++ if mech_name == 'SPNEGO':
++ use_curl()
++ elif mech_name == 'GS2-KRB5':
++ # older request versions use krb5 as the mech by default
++ auth = HTTPSPNEGOAuth()
++ use_requests(auth)
++ else:
++ sys.exit(42) # SKIP
+--
+2.35.1
+
diff --git a/SPECS/mod_auth_gssapi.spec b/SPECS/mod_auth_gssapi.spec
index 7a32d0f..b8b119c 100644
--- a/SPECS/mod_auth_gssapi.spec
+++ b/SPECS/mod_auth_gssapi.spec
@@ -1,6 +1,6 @@
Name: mod_auth_gssapi
Version: 1.6.1
-Release: 7.1%{?dist}
+Release: 9%{?dist}
Summary: A GSSAPI Authentication module for Apache
Group: System Environment/Daemons
@@ -20,6 +20,10 @@ Patch9: tests-Fixup-virtualenv-handling.patch
Patch10: tests-Don-t-override-the-specific-environment-by-the.patch
Patch11: Fix-PATH-handling-bug-in-test-suite.patch
Patch12: Move-to-python3-by-default.patch
+Patch13: Fix-gss_localname-with-SPNEGO-wrapping.patch
+Patch14: tests-add-test-for-gss_localname.patch
+Patch15: Add-ability-to-expose-the-used-mechanism.patch
+Patch16: Fix-gss-localname-test-to-work-with-older-gssapi-ver.patch
BuildRequires: httpd-devel, krb5-devel, openssl-devel, autoconf, automake, libtool
BuildRequires: gssntlmssp-devel
@@ -57,6 +61,18 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir}
%{_httpd_moddir}/mod_auth_gssapi.so
%changelog
+* Thu Apr 28 2022 Francisco Trivino <ftrivino@redhat.com> 1.6.1-9
+- Add missing repos to the osci tests
+- Fix gss localname test to work with older gssapi version
+- Resolves: #2083122
+- Add ability to expose the used mechanism
+- Resolves: #2046231
+
+* Wed Apr 27 2022 Francisco Trivino <ftrivino@redhat.com> 1.6.1-8
+- Add test for gss_localname
+- Fix gss_localname with SPNEGO wrapping
+- Resolves: #1787630
+
* Mon Oct 12 2020 Robbie Harwood <rharwood@redhat.com> 1.6.1-7.1
- Bang on gating until the environment gives up
- Resolves: #1866149