Exemple #1
0
int
rsAuthResponse (rsComm_t *rsComm, authResponseInp_t *authResponseInp)
{
   int status;
   char *bufp;
   authCheckInp_t authCheckInp;
   authCheckOut_t *authCheckOut = NULL;
   rodsServerHost_t *rodsServerHost;

   char digest[RESPONSE_LEN+2];
   char md5Buf[CHALLENGE_LEN+MAX_PASSWORD_LEN+2];
   char serverId[MAX_PASSWORD_LEN+2];
   MD5_CTX context;

   bufp = _rsAuthRequestGetChallenge();

   /* need to do NoLogin because it could get into inf loop for cross 
    * zone auth */

   status = getAndConnRcatHostNoLogin (rsComm, SLAVE_RCAT, 
    rsComm->proxyUser.rodsZone, &rodsServerHost);
   if (status < 0) {
      return(status);
   }

   memset (&authCheckInp, 0, sizeof (authCheckInp)); 
   authCheckInp.challenge = bufp;
   authCheckInp.response = authResponseInp->response;
   authCheckInp.username = authResponseInp->username;

   if (rodsServerHost->localFlag == LOCAL_HOST) {
      status = rsAuthCheck (rsComm, &authCheckInp, &authCheckOut);
   } else {
      status = rcAuthCheck (rodsServerHost->conn, &authCheckInp, &authCheckOut);
      /* not likely we need this connection again */
      rcDisconnect(rodsServerHost->conn);
      rodsServerHost->conn = NULL;
   }
   if (status < 0) {
      rodsLog (LOG_NOTICE,
            "rsAuthResponse: rxAuthCheck failed, status = %d", status);
      return (status);
   }

   if (rodsServerHost->localFlag != LOCAL_HOST) {
      if (authCheckOut->serverResponse == NULL) {
	 rodsLog(LOG_NOTICE, "Warning, cannot authenticate remote server, no serverResponse field");
	 if (requireServerAuth) {
	    rodsLog(LOG_NOTICE, "Authentication disallowed, no serverResponse field");
	    return(REMOTE_SERVER_AUTH_NOT_PROVIDED);
	 }
      }
      else {
	 char *cp;
	 int OK, len, i;
	 if (*authCheckOut->serverResponse == '\0') {
	    rodsLog(LOG_NOTICE, "Warning, cannot authenticate remote server, serverResponse field is empty");
	    if (requireServerAuth) { 
	       rodsLog(LOG_NOTICE, "Authentication disallowed, empty serverResponse");
	       return(REMOTE_SERVER_AUTH_EMPTY);  
	    }
	 }
	 else {
	    char username2[NAME_LEN+2];
	    char userZone[NAME_LEN+2];
	    memset(md5Buf, 0, sizeof(md5Buf));
	    strncpy(md5Buf, authCheckInp.challenge, CHALLENGE_LEN);
	    parseUserName(authResponseInp->username, username2, userZone);
	    getZoneServerId(userZone, serverId);
	    len = strlen(serverId);
	    if (len <= 0) {
	       rodsLog (LOG_NOTICE, "rsAuthResponse: Warning, cannot authenticate the remote server, no RemoteZoneSID defined in server.config", status);
	       if (requireServerAuth) {
		  rodsLog(LOG_NOTICE, "Authentication disallowed, no RemoteZoneSID defined");
		  return(REMOTE_SERVER_SID_NOT_DEFINED);  
	       }
	    }
	    else { 
	       strncpy(md5Buf+CHALLENGE_LEN, serverId, len);
	       MD5Init (&context);
	       MD5Update (&context, (unsigned char*)md5Buf, 
			  CHALLENGE_LEN+MAX_PASSWORD_LEN);
	       MD5Final ((unsigned char*)digest, &context);
	       for (i=0;i<RESPONSE_LEN;i++) {
		  if (digest[i]=='\0') digest[i]++;  /* make sure 'string' doesn't
							end early*/
	       }
	       cp = authCheckOut->serverResponse;
	       OK=1;
	       for (i=0;i<RESPONSE_LEN;i++) {
		  if (*cp++ != digest[i]) OK=0;
	       }
	       rodsLog(LOG_DEBUG, "serverResponse is OK/Not: %d", OK);
	       if (OK==0) {
		  rodsLog(LOG_NOTICE, "Server response incorrect, authentication disallowed");
		  return(REMOTE_SERVER_AUTHENTICATION_FAILURE);
	       }
	    }
	 }
      }
   }

   /* Set the clientUser zone if it is null. */
   if (strlen(rsComm->clientUser.rodsZone)==0) {
      zoneInfo_t *tmpZoneInfo;
      status = getLocalZoneInfo (&tmpZoneInfo);
      if (status < 0) {
	 free (authCheckOut);
	 return status;
      }
      strncpy(rsComm->clientUser.rodsZone,
	      tmpZoneInfo->zoneName, NAME_LEN);
   }


   /* have to modify privLevel if the icat is a foreign icat because
    * a local user in a foreign zone is not a local user in this zone
    * and vice vera for a remote user
    */
   if (rodsServerHost->rcatEnabled == REMOTE_ICAT) {
      /* proxy is easy because rodsServerHost is based on proxy user */
        if (authCheckOut->privLevel == LOCAL_PRIV_USER_AUTH)
            authCheckOut->privLevel = REMOTE_PRIV_USER_AUTH;
        else if (authCheckOut->privLevel == LOCAL_PRIV_USER_AUTH)
            authCheckOut->privLevel = REMOTE_PRIV_USER_AUTH;

	/* adjust client user */
	if (strcmp (rsComm->proxyUser.userName, rsComm->clientUser.userName) 
	  == 0) {
            authCheckOut->clientPrivLevel = authCheckOut->privLevel;
	} else {
	    zoneInfo_t *tmpZoneInfo;
	    status = getLocalZoneInfo (&tmpZoneInfo);
            if (status < 0) {
                free (authCheckOut);
                return status;
            }

	    if (strcmp (tmpZoneInfo->zoneName, rsComm->clientUser.rodsZone)
	      == 0) {
		/* client is from local zone */
        	if (authCheckOut->clientPrivLevel == REMOTE_PRIV_USER_AUTH) {
                    authCheckOut->clientPrivLevel = LOCAL_PRIV_USER_AUTH;
		} else if (authCheckOut->clientPrivLevel == REMOTE_USER_AUTH) {
                    authCheckOut->clientPrivLevel = LOCAL_USER_AUTH;
		}
	    } else {
		/* client is from remote zone */
                if (authCheckOut->clientPrivLevel == LOCAL_PRIV_USER_AUTH) {
                    authCheckOut->clientPrivLevel = REMOTE_USER_AUTH;
                } else if (authCheckOut->clientPrivLevel == LOCAL_USER_AUTH) {
                    authCheckOut->clientPrivLevel = REMOTE_USER_AUTH;
                }
	    }
	}
   } else if (strcmp (rsComm->proxyUser.userName, rsComm->clientUser.userName)
    == 0) {
        authCheckOut->clientPrivLevel = authCheckOut->privLevel;
   }

   status = chkProxyUserPriv (rsComm, authCheckOut->privLevel);

   if (status < 0) {
      free (authCheckOut);
      return status;
   } 

   rodsLog(LOG_NOTICE,
    "rsAuthResponse set proxy authFlag to %d, client authFlag to %d, user:%s proxy:%s client:%s",
          authCheckOut->privLevel,
          authCheckOut->clientPrivLevel,
          authCheckInp.username,
          rsComm->proxyUser.userName,
          rsComm->clientUser.userName);

   if (strcmp (rsComm->proxyUser.userName, rsComm->clientUser.userName) != 0) {
      rsComm->proxyUser.authInfo.authFlag = authCheckOut->privLevel;
      rsComm->clientUser.authInfo.authFlag = authCheckOut->clientPrivLevel;
   } else {	/* proxyUser and clientUser are the same */
      rsComm->proxyUser.authInfo.authFlag =
      rsComm->clientUser.authInfo.authFlag = authCheckOut->privLevel;
   } 

   /*** Added by RAJA Nov 16 2010 **/
   if (authCheckOut->serverResponse != NULL) free(authCheckOut->serverResponse);
   /*** Added by RAJA Nov 16 2010 **/
   free (authCheckOut);

   return (status);
} 
int
rsAuthCheck (rsComm_t *rsComm, authCheckInp_t *authCheckInp, 
		authCheckOut_t **authCheckOut)
{
#ifdef RODS_CAT
   int status;
   int privLevel;
   int clientPrivLevel;
   authCheckOut_t *result;
   unsigned char *digest;
   char md5Buf[CHALLENGE_LEN+MAX_PASSWORD_LEN+2];
   char ServerID[MAX_PASSWORD_LEN+2];

   *authCheckOut = (authCheckOut_t*)malloc(sizeof(authCheckOut_t));
   memset((char *)*authCheckOut, 0, sizeof(authCheckOut_t));

   rodsLog(LOG_NOTICE, "rsAuthCheck user %s", authCheckInp->username);
   status = chlCheckAuth(rsComm, authCheckInp->challenge, 
			 authCheckInp->response, 
			 authCheckInp->username,
			 &privLevel, &clientPrivLevel);
   if (status < 0) {
      rodsLog (LOG_NOTICE, 
	       "rsAuthCheck: chlCheckAuth status = %d", status);
   }

   if (status == 0) {
      int len, i;
      result = *authCheckOut;
      result->privLevel = privLevel;
      result->clientPrivLevel = clientPrivLevel;

      /* Add a hash to authenticate this server to the other server */
      memset(md5Buf, 0, sizeof(md5Buf));
      strncpy(md5Buf, authCheckInp->challenge, CHALLENGE_LEN);

      getZoneServerId("", ServerID); /* get our local zone SID */
      len = strlen(ServerID);
      digest = ( unsigned char* )malloc(RESPONSE_LEN+2);
      if (len <=0) {
	 rodsLog (LOG_DEBUG, 
	       "rsAuthCheck: Warning, cannot authenticate this server to remote server, no LocalZoneSID defined in server.config", status);
	 memset(digest, 0, RESPONSE_LEN);
      }
      else {
	 strncpy(md5Buf+CHALLENGE_LEN, ServerID, len);

	 obfMakeOneWayHash(
                           HASH_TYPE_DEFAULT, 
                           (unsigned char*)md5Buf, 
                           CHALLENGE_LEN+MAX_PASSWORD_LEN,
                           (unsigned char*)digest);

	 for (i=0;i<RESPONSE_LEN;i++) {
	    if (digest[i]=='\0') digest[i]++;  /* make sure 'string' doesn't
						  end early */
	 }
      }
      result->serverResponse = (char*)digest;
   }

   return (status);
#else
    /* this may be a gateway to the rcat host */
    rodsServerHost_t *rodsServerHost;
    int status;

   status = getAndConnRcatHostNoLogin (rsComm, MASTER_RCAT,
    rsComm->proxyUser.rodsZone, &rodsServerHost);

    if (status < 0) {
        rodsLog (LOG_NOTICE,
         "rsAuthCheck:getAndConnRcatHostNoLogin() failed. erro=%d", status);
        return (status);
    }

    if (rodsServerHost->localFlag == LOCAL_HOST) {
        return ( SYS_NO_ICAT_SERVER_ERR);
    } else {
        status = rcAuthCheck (rodsServerHost->conn, authCheckInp, authCheckOut);
    }
    return status;
#endif
} 
Exemple #3
0
int
rsAuthCheck( rsComm_t *rsComm, authCheckInp_t *authCheckInp,
             authCheckOut_t **authCheckOut ) {
#ifdef RODS_CAT
    int status;
    int privLevel;
    int clientPrivLevel;
    authCheckOut_t *result;
    unsigned char *digest;
    char md5Buf[CHALLENGE_LEN + MAX_PASSWORD_LEN + 2];
    char ServerID[MAX_PASSWORD_LEN + 2];

    *authCheckOut = ( authCheckOut_t* )malloc( sizeof( authCheckOut_t ) );
    memset( ( char * )*authCheckOut, 0, sizeof( authCheckOut_t ) );

    // =-=-=-=-=-=-=-
    // the incoming response string might be a kvp string
    // holding the auth scheme as well as the response
    // try to parse it
    // NOTE :: incoming response string is longer than RESPONSE_LEN so we
    //         cannot directly assign it, it will need to be properly terminated
    //         and not contain any magic characters
    std::string scheme;
    std::string orig_resp = authCheckInp->response;
    std::string response  = authCheckInp->response;

    irods::kvp_map_t kvp;
    irods::error ret = irods::parse_kvp_string( orig_resp, kvp );
    if ( ret.ok() ) {
        if ( kvp.end() != kvp.find( irods::AUTH_SCHEME_KEY ) ) {
            scheme = kvp[ irods::AUTH_SCHEME_KEY ];

            // =-=-=-=-=-=-=-
            // subset the 'response' string from the incoming kvp set
            size_t response_key_pos = response.find( irods::AUTH_RESPONSE_KEY );
            if ( response_key_pos != std::string::npos ) {
                char *response_ptr = authCheckInp->response +
                                     ( response_key_pos +
                                       irods::AUTH_RESPONSE_KEY.length() +
                                       irods::KVP_DEF_ASSOCIATION.length() );
                response.assign( response_ptr, RESPONSE_LEN + 2 );
            }

        }
    }
    else {
        response.assign( authCheckInp->response, RESPONSE_LEN );

    }

    status = chlCheckAuth(
                 rsComm,
                 scheme.c_str(),
                 authCheckInp->challenge,
                 const_cast< char* >( response.c_str() ),
                 authCheckInp->username,
                 &privLevel,
                 &clientPrivLevel );
    if ( status < 0 ) {
        rodsLog( LOG_NOTICE,
                 "rsAuthCheck: chlCheckAuth status = %d", status );
    }

    if ( status == 0 ) {
        int len, i;
        result = *authCheckOut;
        result->privLevel = privLevel;
        result->clientPrivLevel = clientPrivLevel;

        /* Add a hash to authenticate this server to the other server */
        memset( md5Buf, 0, sizeof( md5Buf ) );
        strncpy( md5Buf, authCheckInp->challenge, CHALLENGE_LEN );

        getZoneServerId( "", ServerID ); /* get our local zone SID */
        len = strlen( ServerID );
        digest = ( unsigned char* )malloc( RESPONSE_LEN + 2 );
        if ( len <= 0 ) {
            rodsLog( LOG_DEBUG,
                     "rsAuthCheck: Warning, cannot authenticate this server to remote server, no LocalZoneSID defined in server_config.json", status );
            memset( digest, 0, RESPONSE_LEN );
        }
        else {
            strncpy( md5Buf + CHALLENGE_LEN, ServerID, len );

            obfMakeOneWayHash(
                HASH_TYPE_DEFAULT,
                ( unsigned char* )md5Buf,
                CHALLENGE_LEN + MAX_PASSWORD_LEN,
                ( unsigned char* )digest );

            for ( i = 0; i < RESPONSE_LEN; i++ ) {
                if ( digest[i] == '\0' ) {
                    digest[i]++;
                }  /* make sure 'string' doesn't
                                                      end early */
            }
        }
        result->serverResponse = ( char* )digest;
    }

    return status;
#else
    /* this may be a gateway to the rcat host */
    rodsServerHost_t *rodsServerHost;
    int status;

    status = getAndConnRcatHostNoLogin( rsComm, MASTER_RCAT,
                                        rsComm->proxyUser.rodsZone, &rodsServerHost );

    if ( status < 0 ) {
        rodsLog( LOG_NOTICE,
                 "rsAuthCheck:getAndConnRcatHostNoLogin() failed. erro=%d", status );
        return status;
    }

    if ( rodsServerHost->localFlag == LOCAL_HOST ) {
        return SYS_NO_ICAT_SERVER_ERR;
    }
    else {
        status = rcAuthCheck( rodsServerHost->conn, authCheckInp, authCheckOut );
    }
    return status;
#endif
}
Exemple #4
0
    // =-=-=-=-=-=-=-
    // handle an agent-side auth request call
    irods::error osauth_auth_agent_response(
        irods::auth_plugin_context& _ctx,
        authResponseInp_t*           _resp ) {
        // =-=-=-=-=-=-=-
        // validate incoming parameters
        if ( !_ctx.valid().ok() ) {
            return ERROR(
                       SYS_INVALID_INPUT_PARAM,
                       "invalid plugin context" );
        }
        else if ( !_resp ) {
            return ERROR(
                       SYS_INVALID_INPUT_PARAM,
                       "null authResponseInp_t ptr" );
        }

        int status;
        char *bufp;
        authCheckInp_t authCheckInp;
        rodsServerHost_t *rodsServerHost;

        char digest[RESPONSE_LEN + 2];
        char md5Buf[CHALLENGE_LEN + MAX_PASSWORD_LEN + 2];
        char serverId[MAX_PASSWORD_LEN + 2];
        MD5_CTX context;

        bufp = _rsAuthRequestGetChallenge();

        // =-=-=-=-=-=-=-
        // need to do NoLogin because it could get into inf loop for cross
        // zone auth
        status = getAndConnRcatHostNoLogin(
                     _ctx.comm(),
                     MASTER_RCAT,
                     _ctx.comm()->proxyUser.rodsZone,
                     &rodsServerHost );
        if ( status < 0 ) {
            return ERROR(
                       status,
                       "getAndConnRcatHostNoLogin failed" );
        }

        memset( &authCheckInp, 0, sizeof( authCheckInp ) );
        authCheckInp.challenge = bufp;
        authCheckInp.username = _resp->username;

        std::string resp_str = irods::AUTH_SCHEME_KEY    +
                               irods::kvp_association()  +
                               irods::AUTH_OSAUTH_SCHEME +
                               irods::kvp_delimiter()    +
                               irods::AUTH_RESPONSE_KEY  +
                               irods::kvp_association()  +
                               _resp->response;
        authCheckInp.response = const_cast<char*>( resp_str.c_str() );

        authCheckOut_t *authCheckOut = NULL;
        if ( rodsServerHost->localFlag == LOCAL_HOST ) {
            status = rsAuthCheck( _ctx.comm(), &authCheckInp, &authCheckOut );
        }
        else {
            status = rcAuthCheck( rodsServerHost->conn, &authCheckInp, &authCheckOut );
            /* not likely we need this connection again */
            rcDisconnect( rodsServerHost->conn );
            rodsServerHost->conn = NULL;
        }
        if ( status < 0 || authCheckOut == NULL ) { // JMC cppcheck
            if ( authCheckOut != NULL ) {
                free( authCheckOut->serverResponse );
            }
            free( authCheckOut );
            return ERROR(
                       status,
                       "rxAuthCheck failed" );
        }

        if ( rodsServerHost->localFlag != LOCAL_HOST ) {
            if ( authCheckOut->serverResponse == NULL ) {
                rodsLog( LOG_NOTICE, "Warning, cannot authenticate remote server, no serverResponse field" );
                if ( requireServerAuth ) {
                    free( authCheckOut );
                    return ERROR(
                               REMOTE_SERVER_AUTH_NOT_PROVIDED,
                               "Authentication disallowed, no serverResponse field" );
                }
            }
            else {
                char *cp;
                int OK, len, i;
                if ( *authCheckOut->serverResponse == '\0' ) {
                    rodsLog( LOG_NOTICE, "Warning, cannot authenticate remote server, serverResponse field is empty" );
                    if ( requireServerAuth ) {
                        free( authCheckOut->serverResponse );
                        free( authCheckOut );
                        return ERROR(
                                   REMOTE_SERVER_AUTH_EMPTY,
                                   "Authentication disallowed, empty serverResponse" );
                    }
                }
                else {
                    char username2[NAME_LEN + 2];
                    char userZone[NAME_LEN + 2];
                    memset( md5Buf, 0, sizeof( md5Buf ) );
                    strncpy( md5Buf, authCheckInp.challenge, CHALLENGE_LEN );
                    parseUserName( _resp->username, username2, userZone );
                    getZoneServerId( userZone, serverId );
                    len = strlen( serverId );
                    if ( len <= 0 ) {
                        rodsLog( LOG_NOTICE, "rsAuthResponse: Warning, cannot authenticate the remote server, no RemoteZoneSID defined in server_config.json", status );
                        if ( requireServerAuth ) {
                            free( authCheckOut->serverResponse );
                            free( authCheckOut );
                            return ERROR(
                                       REMOTE_SERVER_SID_NOT_DEFINED,
                                       "Authentication disallowed, no RemoteZoneSID defined" );
                        }
                    }
                    else {
                        strncpy( md5Buf + CHALLENGE_LEN, serverId, len );
                        MD5_Init( &context );
                        MD5_Update( &context, ( unsigned char* )md5Buf,
                                   CHALLENGE_LEN + MAX_PASSWORD_LEN );
                        MD5_Final( ( unsigned char* )digest, &context );
                        for ( i = 0; i < RESPONSE_LEN; i++ ) {
                            if ( digest[i] == '\0' ) {
                                digest[i]++;
                            }  /* make sure 'string' doesn't
                                                                  end early*/
                        }
                        cp = authCheckOut->serverResponse;
                        OK = 1;
                        for ( i = 0; i < RESPONSE_LEN; i++ ) {
                            if ( *cp++ != digest[i] ) {
                                OK = 0;
                            }
                        }
                        rodsLog( LOG_DEBUG, "serverResponse is OK/Not: %d", OK );
                        if ( OK == 0 ) {
                            free( authCheckOut->serverResponse );
                            free( authCheckOut );
                            return ERROR(
                                       REMOTE_SERVER_AUTHENTICATION_FAILURE,
                                       "Server response incorrect, authentication disallowed" );
                        }
                    }
                }
            }
        }

        /* Set the clientUser zone if it is null. */
        if ( strlen( _ctx.comm()->clientUser.rodsZone ) == 0 ) {
            zoneInfo_t *tmpZoneInfo;
            status = getLocalZoneInfo( &tmpZoneInfo );
            if ( status < 0 ) {
                free( authCheckOut->serverResponse );
                free( authCheckOut );
                return ERROR(
                           status,
                           "getLocalZoneInfo failed" );
            }
            strncpy( _ctx.comm()->clientUser.rodsZone,
                     tmpZoneInfo->zoneName, NAME_LEN );
        }


        /* have to modify privLevel if the icat is a foreign icat because
         * a local user in a foreign zone is not a local user in this zone
         * and vice versa for a remote user
         */
        if ( rodsServerHost->rcatEnabled == REMOTE_ICAT ) {
            /* proxy is easy because rodsServerHost is based on proxy user */
            if ( authCheckOut->privLevel == LOCAL_PRIV_USER_AUTH ) {
                authCheckOut->privLevel = REMOTE_PRIV_USER_AUTH;
            }
            else if ( authCheckOut->privLevel == LOCAL_USER_AUTH ) {
                authCheckOut->privLevel = REMOTE_USER_AUTH;
            }

            /* adjust client user */
            if ( strcmp( _ctx.comm()->proxyUser.userName,  _ctx.comm()->clientUser.userName )
                    == 0 ) {
                authCheckOut->clientPrivLevel = authCheckOut->privLevel;
            }
            else {
                zoneInfo_t *tmpZoneInfo;
                status = getLocalZoneInfo( &tmpZoneInfo );
                if ( status < 0 ) {
                    free( authCheckOut->serverResponse );
                    free( authCheckOut );
                    return ERROR(
                               status,
                               "getLocalZoneInfo failed" );
                }

                if ( strcmp( tmpZoneInfo->zoneName,  _ctx.comm()->clientUser.rodsZone )
                        == 0 ) {
                    /* client is from local zone */
                    if ( authCheckOut->clientPrivLevel == REMOTE_PRIV_USER_AUTH ) {
                        authCheckOut->clientPrivLevel = LOCAL_PRIV_USER_AUTH;
                    }
                    else if ( authCheckOut->clientPrivLevel == REMOTE_USER_AUTH ) {
                        authCheckOut->clientPrivLevel = LOCAL_USER_AUTH;
                    }
                }
                else {
                    /* client is from remote zone */
                    if ( authCheckOut->clientPrivLevel == LOCAL_PRIV_USER_AUTH ) {
                        authCheckOut->clientPrivLevel = REMOTE_USER_AUTH;
                    }
                    else if ( authCheckOut->clientPrivLevel == LOCAL_USER_AUTH ) {
                        authCheckOut->clientPrivLevel = REMOTE_USER_AUTH;
                    }
                }
            }
        }
        else if ( strcmp( _ctx.comm()->proxyUser.userName,  _ctx.comm()->clientUser.userName )
                  == 0 ) {
            authCheckOut->clientPrivLevel = authCheckOut->privLevel;
        }

        status = check_proxy_user_privileges( _ctx.comm(), authCheckOut->privLevel );

        if ( status < 0 ) {
            free( authCheckOut->serverResponse );
            free( authCheckOut );
            return ERROR(
                       status,
                       "check_proxy_user_privileges failed" );
        }

        rodsLog( LOG_DEBUG,
                 "rsAuthResponse set proxy authFlag to %d, client authFlag to %d, user:%s proxy:%s client:%s",
                 authCheckOut->privLevel,
                 authCheckOut->clientPrivLevel,
                 authCheckInp.username,
                 _ctx.comm()->proxyUser.userName,
                 _ctx.comm()->clientUser.userName );

        if ( strcmp( _ctx.comm()->proxyUser.userName,  _ctx.comm()->clientUser.userName ) != 0 ) {
            _ctx.comm()->proxyUser.authInfo.authFlag = authCheckOut->privLevel;
            _ctx.comm()->clientUser.authInfo.authFlag = authCheckOut->clientPrivLevel;
        }
        else {	/* proxyUser and clientUser are the same */
            _ctx.comm()->proxyUser.authInfo.authFlag =
                _ctx.comm()->clientUser.authInfo.authFlag = authCheckOut->privLevel;
        }

        free( authCheckOut->serverResponse );
        free( authCheckOut );
        return SUCCESS();

    } // osauth_auth_agent_response