[32377] in Kerberos
question on auth_to_user
daemon@ATHENA.MIT.EDU (Kyley Engle)
Thu May 20 15:26:28 2010
Message-ID: <SNT102-DS1342933FBFABEBA5CE8AD897E30@phx.gbl>
From: "Kyley Engle" <kyley_engle@hotmail.com>
To: <kerberos@mit.edu>
Date: Thu, 20 May 2010 12:26:22 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I'm trying to set up rules using the auth_to_user option inside of a realm definition in my krb5.conf file. I've not had any luck find good, and accurate, documentation on that option. Basically, I need my host principals to authenticate without having them in the local password file.
What the principal ends up looking like to my apache server is class;fqdn, which fails authentication.
What I am trying to do is:
host/fqdn@REALM.COM should get translated to just fqdn, which can then authenticate just fine.
class/fqdn@REALM.COM should get translated to class/fqdn. basically, just dropping the realm portion
using this, I can munge the host principal the way I want.
[realms]
REALM.COM = {
kdc-1
kdc-2
auth_to_local = RULE:[2:$1;$2](^host;.*$)s/^host;//
auth_to_local = DEFAULT
}
however, if I try something like:
auth_to_local = RULE:[2:$1/$2](^.*;.*$)
it doesn't work. the / is the usual reserved character, and there does not seem to be a way to escape it. any suggestions? or am I approaching this in the wrong way?
-kyley
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
