libapache2-mod-auth-kerb and cross-realm
Jaap Winius
jwinius at umrk.nl
Thu Aug 14 09:29:38 EDT 2014
On Wed, 13 Aug 2014 23:07:03 -0400, Greg Hudson wrote:
> So you need something like:
>
> [realms]
> EXAMPLE.COM = {
> auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$//
> auth_to_local = DEFAULT
> }
Amazing, it works! Greg, you're a genius... or just happen to know these
things. I would never have come up with this on my own. Although I did
encounter an example of someone using $0, they were doing something else
with it and perhaps I didn't understand enough of what was going on.
Some other notes. Regarding the Apache configuration, for this to work I
don't have to include MYREALM.COM in the KrbAuthRealms list -- just the
default realm. No realm name parts in the 'require user' list either.
Lastly, I was initially afraid that this would affect Kerberos
authentication for other services, such as SSH, but apparently not, so
I'm thus far very pleased with this configuration.
Thanks, Greg, and Russ!
Cheers,
Jaap
More information about the Kerberos
mailing list