SSO Application needs username from GSSName (or GSSAPI)
Spike_White@dell.com
Spike_White at dell.com
Tue Aug 5 15:34:52 EDT 2014
Amit,
The problem with what you're suggesting is that it's a static conversion. Admittedly, the static conversion that usually (but not always) desired.
If you use krb5_aname_to_localname() instead, by default it does the same conversion. But additionally, the site administrator is able to write his or her own auth_to_local rules, if this default conversion is not what's desired.
Here's an example, from http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.1/doc/krb5-admin/realms--krb5.conf-.html
[realms]
ATHENA.MIT.EDU = {
auth_to_local = {
RULE:[2:$1](johndoe)s/^.*$/guest/
RULE:[2:$1;$2](^.*;admin$)s/;admin$//
RULE:[2:$2](^.*;root)s/^.*$/root/
DEFAULT
}
}
Date: Tue, 5 Aug 2014 04:55:33 -0700 (PDT)
From: amit
Subject: Re: SSO Application needs username from GSSName (or GSSAPI)
To: krbdev at mit.edu
Message-ID:
Content-Type: text/plain; charset=us-ascii
Thank you Simo & Nico,
Simo, Nico is right about my application.
Please have a look at the following link which talks about realm name in kerberos.
It says that you can have anything as a realm name but when it comes to follow the conventions, realm name should be a domain name in capital letters.
http://web.mit.edu/kerberos/krb5-devel/doc/admin/realm_config.html
So, assuming that customers will always follow the conventions of kerberos and will keep the realm name as a capital letter of domain name.
Again, following link talks about what restrictions domain name have.
https://www.register.com/policy/domain-extension-rules.rcmx
So, it looks like domain name can never have '@' sign in it (which intern says that realm name will never have the '@' sign in it).
Cropping the GSSName string with its last index of '@' will give me the username.
Please let me know if I am mistaken somewhere.
More information about the krbdev
mailing list