[36374] in Kerberos
Re: libapache2-mod-auth-kerb and cross-realm
daemon@ATHENA.MIT.EDU (Jaap Winius)
Thu Aug 14 09:30:21 2014
To: kerberos@mit.edu
From: Jaap Winius <jwinius@umrk.nl>
Date: Thu, 14 Aug 2014 13:29:38 +0000 (UTC)
Message-ID: <lsidk2$3q1$1@ger.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, 13 Aug 2014 23:07:03 -0400, Greg Hudson wrote:
> So you need something like:
>
> [realms]
> EXAMPLE.COM = {
> auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$//
> auth_to_local = DEFAULT
> }
Amazing, it works! Greg, you're a genius... or just happen to know these
things. I would never have come up with this on my own. Although I did
encounter an example of someone using $0, they were doing something else
with it and perhaps I didn't understand enough of what was going on.
Some other notes. Regarding the Apache configuration, for this to work I
don't have to include MYREALM.COM in the KrbAuthRealms list -- just the
default realm. No realm name parts in the 'require user' list either.
Lastly, I was initially afraid that this would affect Kerberos
authentication for other services, such as SSH, but apparently not, so
I'm thus far very pleased with this configuration.
Thanks, Greg, and Russ!
Cheers,
Jaap
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
