Regex/PCRE support for auth_to_local RULEs
Protulipac, Michael
michael.protulipac at pnc.com
Mon Sep 11 10:50:23 EDT 2017
Hello -
Not sure where best to post this question and/or enhancement request. If inappropriate for this distribution, kindly advise routing.
We are trying to migrate from QAS/VAS (Quest Authentication Services) to an open source based solution. We have Active Directory for the KDC, MS windows clients and RedHat linux servers running Cloudera Hadoop. When we enable SSHD GSS API, we find a case sensitivity issue with our windows principal names (Windows acquires KRB tickets using uppercase userId's). We have success when we map uppercase users to lowercase in auth_to_local_names or auth_to_local defining an explicit search and replace RULE. The issue is we have 50k+ users that cannot be easily added yet maintained in this manner.
Cloudera seems to implement a similar auth_to_local RULE base method to their java processs that enables a "to lowercase" feature leveraging a /L switch: https://www.cloudera.com/documentation/enterprise/5-3-x/topics/cdh_sg_kerbprin_to_sn.html
A simple auth_to_local = RULE:[1:$1]/L would meet our requirements (better yet if we had full PCRE support).
It does not seem to be trivial to change this on the AD or windows client side. Has the Kerberos team considered adding PCRE support to the RULE functionality or have another method to deal with windows/linux integrations (system that is case aware to one that is case aware and sensitive)? Are there any alternatives/options/other paths we could entertain?
Thanks for your time and please advise,
Mike
The contents of this email are the property of PNC. If it was not addressed to you, you have no legal right to read it. If you think you received it in error, please notify the sender. Do not forward or copy without permission of the sender. This message may be considered a commercial electronic message under Canadian law or this message may contain an advertisement of a product or service and thus may constitute a commercial electronic mail message under US law. You may unsubscribe at any time from receiving commercial electronic messages from PNC at http://pages.e.pnc.com/globalunsub/
PNC, 249 Fifth Avenue, Pittsburgh, PA 15222; pnc.com
More information about the Kerberos
mailing list