mod_auth_kerb realm stripping
Markus Moeller
huaraz at moeller.plus.com
Wed Oct 14 18:07:17 EDT 2009
Did you check
http://modauthkerb.cvs.sourceforge.net/viewvc/modauthkerb/mod_map_user/ ?
Markus
"Chris Cowley" <chriscowleysound at googlemail.com> wrote in message
news:a804524e-f6d4-4b9d-93ca-a267ee356335 at j19g2000yqk.googlegroups.com...
On 13 Oct, 17:28, Chris Cowley <chriscowleyso... at googlemail.com>
wrote:
> Hello all
>
> I am trying to tweak my mod_auth_kerb setup. Currently it works
> nicely, I am able to authenticate to web pages on our intranet and
> everything is dandy.
>
> The problem I am having is the contents of Apache's REMOTE_USER
> variable. Currently it has my REALM on the end, which I do not want. I
> have upgraded to mod_auth_kerb 5.4 which introduced an
> "KrbLocalUserMapping" option. As you can see in the log below it
> rewriting my principal, but then I am not found in AD. the value I am
> being re-written to matches my sAMAccount name, so it should be found.
>
> [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1578): [client
> 172.19.77.8] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1213): [client
> 172.19.77.8] Acquiring creds for HTTP/svn.snellwilcox.local
> [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1335): [client
> 172.19.77.8] Verifying client data using KRB5 GSS-API
> [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1351): [client
> 172.19.77.8] Client didn't delegate us their credential
> [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1370): [client
> 172.19.77.8] GSS-API token of length 161 bytes will be sent back
> [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1484): [client
> 172.19.77.8] kerb_authenticate_a_name_to_local_name
> ChrisCow... at SNELLWILCOX.LOCAL -> ChrisCowley
> [Tue Oct 13 17:13:26 2009] [debug] mod_authnz_ldap.c(561): [client
> 172.19.77.8] ldap authorize: Creating LDAP req structure
> [Tue Oct 13 17:13:26 2009] [debug] mod_authnz_ldap.c(573): [client
> 172.19.77.8] auth_ldap authorise: User DN not found, User not found
>
> http.conf:
> AuthType Kerberos
> AuthName "Subversion - use your SNELLWILCOX domain login (as
> used to log in to Windows"
> Krb5Keytab /etc/kerberos/svn.keytab
> KrbVerifyKDC On
> KrbMethodNegotiate On
> KrbMethodK5Passwd On
> KrbAuthRealms SNELLWILCOX.LOCAL
> KrbLocalUserMapping on
>
> AuthLDAPBindDN <binddn>
> AuthLDAPBindPassword <password>
> AuthLDAPURL
> ldap://<windoze_dn>/OU=SnellWilcox,DC=snellwilcox,DC=local?userPrincipalName,sAMAccountName,mail,displayname,cn?sub?(objectClass=*)
>
> require ldap-attribute
> msSFU30PosixMemberOf="CN=SG_Linux_CVS_IT,OU=Linux Authentication
> Groups,OU=Security Groups,OU=SnellWilcox,DC=snellwilcox,DC=local"
Also, if anyone has a better way to do it (mod_rewrite) that would be
considered.
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list