[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?

On May 1, 2008, at 7:10 PM, Troy Benjegerdes wrote:

> On Thu, May 01, 2008 at 05:43:17PM -0700, Scott Grizzard wrote:
>> Here's the problem:
>> We use Trac to manage our software development.  Currently, we use
>> mod_authnz_ldap to authenticate the users against the ldap directory
>> before they can access the intranet.  Trac uses the username  
>> returned by
>> Apache as the user that is "logged in".
>> We have migrated on to Heimdal, and a want to use mod_auth_kerb to do
>> authentication for Trac (and subversion).
>> The issue that I am having is this: when I authenticate using
>> mod_auth_kerb, the username passed to apache, and then to trac, is
>> "username@MY.RELM" instead of just "username".  Is there any way to  
>> tell
>> apache to only return the first portion of the principle name without
>> returning the relm name.
> I think the right place to fix this is in Trac, not mod_auth_kerb or
> apache... Otherwise you may end up in the situation where you have a
> cross-realm trust, and joeuser@REALM1 and joeuser@REALM2 both end up  
> as
> joeuser.. NOT what you'd want or expect.

As you say it won't work if you have multiple realms.  However note  
that krb5_aname_to_localname() will only work if the realm matches the  
default.  (On MIT you can define the mapping in krb5.conf, but it's  
not well documented or used.)

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu