[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?

To: heimdal-discuss@sics.se, Troy Benjegerdes <hozer@hozed.org>
Subject: Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Thu, 1 May 2008 22:04:10 -0700
Cc: Scott Grizzard <scott@scottgrizzard.com>
In-Reply-To: <20080502021004.GT2058@excalibur.hozed.org>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <481A63A5.4040200@scottgrizzard.com> <20080502021004.GT2058@excalibur.hozed.org>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>


On May 1, 2008, at 7:10 PM, Troy Benjegerdes wrote:

> On Thu, May 01, 2008 at 05:43:17PM -0700, Scott Grizzard wrote:
>> Here's the problem:
>>
>> We use Trac to manage our software development.  Currently, we use
>> mod_authnz_ldap to authenticate the users against the ldap directory
>> before they can access the intranet.  Trac uses the username  
>> returned by
>> Apache as the user that is "logged in".
>>
>> We have migrated on to Heimdal, and a want to use mod_auth_kerb to do
>> authentication for Trac (and subversion).
>>
>> The issue that I am having is this: when I authenticate using
>> mod_auth_kerb, the username passed to apache, and then to trac, is
>> "username@MY.RELM" instead of just "username".  Is there any way to  
>> tell
>> apache to only return the first portion of the principle name without
>> returning the relm name.
>
> I think the right place to fix this is in Trac, not mod_auth_kerb or
> apache... Otherwise you may end up in the situation where you have a
> cross-realm trust, and joeuser@REALM1 and joeuser@REALM2 both end up  
> as
> joeuser.. NOT what you'd want or expect.

As you say it won't work if you have multiple realms.  However note  
that krb5_aname_to_localname() will only work if the realm matches the  
default.  (On MIT you can define the mapping in krb5.conf, but it's  
not well documented or used.)

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

References:
- mod_auth_kerb and heimdal: is there a way to remove the @MY.RELMfrom the end of a user name when the user is authenticated?
  - From: Scott Grizzard <scott@scottgrizzard.com>
- Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?
  - From: Troy Benjegerdes <hozer@hozed.org>

Prev by Date: Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?
Next by Date: Re: kinit and Windows Server 2008
Prev by thread: Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?
Next by thread: Re: kinit and Windows Server 2008
Index(es):
- Date
- Thread