On Fri, 2017-12-01 at 11:15 -0800, Gordon Messmer via FreeIPA-users
wrote:
> On 12/01/2017 09:52 AM, Simo Sorce via FreeIPA-users wrote:
> > gssproxy dos not use libidmapd because it is not threads safe (among
> > other issues), it is also not needed, because you can control mapping
> > in auth_to_local in krb5.conf and that place is the correct place to
> > deal with identity mapping when kerberos is involved.
> 
> 
> Not sure if I'm doing this right, but that doesn't work for me, either:
> 
> [realms]
>    EXAMPLE.NET = {
>      pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
>      pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
>      auth_to_local = RULE:[2:$1](daemon)s/^.*$/daemon/
>      auto_to_local = DEFAULT
>    }
> 
> 
> Client's default principal is 
> daemon/application-2017111901.example....@example.net

I think what you want is something like:
RULE:[2:$1@$0](dae...@example.net)s/.*//


note, this will map any daemon/<arbitrary>@REALM principals to the
local 'daemon' user, be sure that's is ok.

This is a decent guide to better understand what can be done with
auth_to_local:
https://community.hortonworks.com/articles/14463/auth-to-local-rules-sy
ntax.html

HTH,
Simo.

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to