[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?

On Thu, May 01, 2008 at 05:43:17PM -0700, Scott Grizzard wrote:
> Here's the problem:
> We use Trac to manage our software development.  Currently, we use
> mod_authnz_ldap to authenticate the users against the ldap directory
> before they can access the intranet.  Trac uses the username returned by
> Apache as the user that is "logged in".
> We have migrated on to Heimdal, and a want to use mod_auth_kerb to do
> authentication for Trac (and subversion).
> The issue that I am having is this: when I authenticate using
> mod_auth_kerb, the username passed to apache, and then to trac, is
> "username@MY.RELM" instead of just "username".  Is there any way to tell
> apache to only return the first portion of the principle name without
> returning the relm name.

I think the right place to fix this is in Trac, not mod_auth_kerb or
apache... Otherwise you may end up in the situation where you have a
cross-realm trust, and joeuser@REALM1 and joeuser@REALM2 both end up as
joeuser.. NOT what you'd want or expect.