[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?

To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?
From: Scott Grizzard <scott@scottgrizzard.com>
Date: Thu, 1 May 2008 20:15:13 -0700
In-Reply-To: <0D28B9C1-8CD7-4110-B2DA-37B19AE5A629@jpl.nasa.gov>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <481A63A5.4040200@scottgrizzard.com> <0D28B9C1-8CD7-4110-B2DA-37B19AE5A629@jpl.nasa.gov>
Reply-To: heimdal-discuss@sics.se, Scott Grizzard <scott@scottgrizzard.com>

Thanks.  This is perfect.

I guess my new weekend project is compiling this and getting it to  
work on Ubuntu's source debs.

- Scott


On May 1, 2008, at 6:40 PM, Henry B. Hotz wrote:

>
> On May 1, 2008, at 5:43 PM, Scott Grizzard wrote:
>
>> Here's the problem:
>>
>> We use Trac to manage our software development.  Currently, we use
>> mod_authnz_ldap to authenticate the users against the ldap directory
>> before they can access the intranet.  Trac uses the username  
>> returned by
>> Apache as the user that is "logged in".
>>
>> We have migrated on to Heimdal, and a want to use mod_auth_kerb to do
>> authentication for Trac (and subversion).
>>
>> The issue that I am having is this: when I authenticate using
>> mod_auth_kerb, the username passed to apache, and then to trac, is
>> "username@MY.RELM" instead of just "username".  Is there any way to  
>> tell
>> apache to only return the first portion of the principle name without
>> returning the relm name.
>
> The mod_auth_kerb list is a better place for this question.  Here's  
> a relevant message from earlier this year:
>
>
> On Jan 8, 2008, at 9:18 PM, Rob Riggs wrote:
>
>> Hi all,
>>
>> This is the result of the discussion we had a couple of weeks ago.   
>> This patch adds a "Krb5AuthToLocal" directive (defaults to off)  
>> that will enable Kerberos V5 auth_to_local mapping in the  
>> mod_auth_kerb module.  This patch is against the patched  
>> mod_auth_kerb that is part of Fedora 8.
>>
>> I would like to strongly encourage its adoption into the mainline  
>> of mod_auth_kerb.  This patch is released to the public domain.
>>
>> Kindest Regards,
>>
>> Rob
>> --- mod_auth_kerb-5.3/src/mod_auth_kerb.c.auth_to_local	2008-01-08  
>> 21:41:16.000000000 -0700
>> +++ mod_auth_kerb-5.3/src/mod_auth_kerb.c	2008-01-08  
>> 21:47:30.000000000 -0700
>> @@ -168,6 +168,7 @@
>> 	char *krb_5_keytab;
>> 	int krb_method_gssapi;
>> 	int krb_method_k5pass;
>> +	int krb5_auth_to_local;
>> #endif
>> #ifdef KRB4
>> 	char *krb_4_srvtab;
>> @@ -230,6 +231,9 @@
>>
>>   command("KrbMethodK5Passwd", ap_set_flag_slot, krb_method_k5pass,
>>     FLAG, "Enable Kerberos V5 password authentication."),
>> +
>> +   command("Krb5AuthToLocal", ap_set_flag_slot, krb5_auth_to_local,
>> +     FLAG, "Enable Kerberos V5 auth_to_local mapping."),
>> #endif
>>
>> #ifdef KRB4
>> @@ -298,6 +302,7 @@
>> #ifdef KRB5
>> 	((kerb_auth_config *)rec)->krb_method_k5pass = 1;
>> 	((kerb_auth_config *)rec)->krb_method_gssapi = 1;
>> +	((kerb_auth_config *)rec)->krb5_auth_to_local = 0;
>> #endif
>> #ifdef KRB4
>> 	((kerb_auth_config *)rec)->krb_method_k4pass = 1;
>> @@ -722,6 +727,78 @@
>> }
>>
>> static int
>> +do_krb5_an_to_ln(request_rec *r, const kerb_auth_config *conf,  
>> MK_POOL *p)
>> +{
>> +	const int lname_size = 1024;
>> +
>> +	krb5_context kcontext;
>> +	krb5_principal princ;
>> +	krb5_error_code code;
>> +	char lname[lname_size];
>> +	int ret;
>> +
>> +	if (!conf->krb5_auth_to_local) {
>> +		return OK;
>> +	}
>> +
>> +	ret = HTTP_INTERNAL_SERVER_ERROR;
>> +
>> +	code = krb5_init_context(&kcontext);
>> +	if (code) {
>> +		log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>> +			"Cannot initialize Kerberos5 context (%d)", code);
>> +		return HTTP_INTERNAL_SERVER_ERROR;
>> +	}
>> +
>> +    code = krb5_parse_name(kcontext, MK_USER, &princ);
>> +	if (code) {
>> +		log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>> +			"krb5_parse_name() failed for name %s: %s",
>> +			MK_USER,
>> +			krb5_get_err_text(kcontext, code));
>> +		krb5_free_context(kcontext);
>> +		return HTTP_INTERNAL_SERVER_ERROR;
>> +	}
>> +
>> +	code = krb5_aname_to_localname(kcontext, princ, sizeof(lname),  
>> lname);
>> +	if (code) {
>> +		if (code != KRB5_LNAME_NOTRANS) {
>> +      			log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>> +				   "krb5_aname_to_localname() failed: %s",
>> +	         		   krb5_get_err_text(kcontext, code));
>> +			/* fall through */
>> +		}
>> +		else {
>> +      			log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
>> +				   "krb5_aname_to_localname() found no "
>> +				   "mapping for principal %s",
>> +				   MK_USER);
>> +			/* fall through */
>> +		}
>> +	}
>> +	else {
>> +		/* Does this belong in an authz handler? */
>> +		if (!krb5_kuserok(kcontext, princ, lname)) {
>> +      			log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
>> +				   "krb5_kuserok(%s, %s) == false",
>> +				   MK_USER, lname);
>> +			ret = HTTP_UNAUTHORIZED;
>> +		}
>> +		else {
>> +      		log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
>> +			   "doing auth_to_local: %s -> %s",
>> +			   MK_USER, lname);
>> +			MK_USER = apr_pstrdup(p, lname);
>> +			ret = OK;
>> +		}
>> +	}
>> +	krb5_free_principal(kcontext, princ);
>> +	krb5_free_context(kcontext);
>> +
>> +	return ret;
>> +}
>> +
>> +static int
>> krb5_cache_cleanup(void *data)
>> {
>>   krb5_context context;
>> @@ -1468,11 +1545,17 @@
>>
>> #ifdef KRB5
>>   if (use_krb5 && conf->krb_method_gssapi &&
>> -       strcasecmp(auth_type, MECH_NEGOTIATE) == 0) {
>> -      ret = authenticate_user_gss(r, conf, auth_line,  
>> &negotiate_ret_value);
>> +	   strcasecmp(auth_type, MECH_NEGOTIATE) == 0) {
>> +		ret = authenticate_user_gss(r, conf, auth_line,  
>> &negotiate_ret_value);
>> +		if (ret == OK) {
>> +			ret = do_krb5_an_to_ln(r, conf, r->connection->pool);
>> +        }
>>   } else if (use_krb5 && conf->krb_method_k5pass &&
>> -	      strcasecmp(auth_type, "Basic") == 0) {
>> -       ret = authenticate_user_krb5pwd(r, conf, auth_line);
>> +	   strcasecmp(auth_type, "Basic") == 0) {
>> +		ret = authenticate_user_krb5pwd(r, conf, auth_line);
>> +		if (ret == OK) {
>> +			ret = do_krb5_an_to_ln(r, conf, r->pool);
>> +		}
>>   }
>> #endif
>>
>> -------------------------------------------------------------------------
>> Check out the new SourceForge.net Marketplace.
>> It's the best place to buy or sell services for
>> just about anything Open Source.
>> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace_______________________________________________
>> modauthkerb-help mailing list
>> modauthkerb-help@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>
>
>
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>
>
>
>

References:
- mod_auth_kerb and heimdal: is there a way to remove the @MY.RELMfrom the end of a user name when the user is authenticated?
  - From: Scott Grizzard <scott@scottgrizzard.com>
- Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?
Next by Date: Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?
Prev by thread: Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?
Next by thread: Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?
Index(es):
- Date
- Thread