auth_to_localnames only using default realm?
Nebergall, Christopher
cneberg at sandia.gov
Fri Nov 21 19:07:43 EST 2003
Why is it that no matter what realm the user is in only the
auth_to_localnames attribute in the default realm is used for the mapping?
That seems to be wrong, I would think that if this really is a realm
specific setting like the profile hierarchy suggests that I would want to
look up the mappings from the realm the person is coming from not the
default realm. If it is meant not to be realm specific it should probably
be moved out of the realm specific settings area. To make things more
confusing the realm information is dropped before the mapping.
user1 at anyrealm will be mapped using only user1 the realm they come from is
not used in the match.
Example in 1.3.1
If I see roger at siteA.com or roger at siteB.com they both get mapped into roger1
using the krb5.conf settings below.
default_realm = siteA.com
siteA.com = {
kdc = something
auth_to_local_names = {
roger = roger1
}
siteB.com = {
kdc = something
}
Notice from the code snippet below that the default realm is used for
everything.
lib/krb5/os/an_to_ln.c
if (!(kret = krb5_get_default_realm(context, &realm))) {
/* Flatten the name */
if (!(kret = krb5_unparse_name(context, aname, &pname))) {
if ((mname = aname_full_to_mapping_name(pname))) {
/*
* Search first for explicit mappings of the form:
*
* [realms]->realm->"auth_to_local_names"->mapping_name
*/
hierarchy[0] = "realms";
>>>>>>>> hierarchy[1] = realm;
hierarchy[2] = "auth_to_local_names";
hierarchy[3] = mname;
hierarchy[4] = (char *) NULL;
if (!(kret = profile_get_values(context->profile,
hierarchy,
&mapping_values))) {
/* We found one or more explicit mappings. */
for (nvalid=0; mapping_values[nvalid]; nvalid++);
/* Just use the last one. */
/* Trim the value. */
More information about the krbdev
mailing list