On Thu, 2014-08-14 at 13:29 +0000, Jaap Winius wrote:
> On Wed, 13 Aug 2014 23:07:03 -0400, Greg Hudson wrote:
>
> > So you need something like:
> >
> > [realms]
> > EXAMPLE.COM = {
> > auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$//
> > auth_to_local = DEFAULT
> > }
>
> Amazing, it works! Greg, you're a genius... or just happen to know these
> things. I would never have come up with this on my own. Although I did
> encounter an example of someone using $0, they were doing something else
> with it and perhaps I didn't understand enough of what was going on.
>
> Some other notes. Regarding the Apache configuration, for this to work I
> don't have to include MYREALM.COM in the KrbAuthRealms list -- just the
> default realm. No realm name parts in the 'require user' list either.
>
> Lastly, I was initially afraid that this would affect Kerberos
> authentication for other services, such as SSH, but apparently not, so
> I'm thus far very pleased with this configuration.
>
> Thanks, Greg, and Russ!
Keep in mind that this will make [email protected] and [email protected]
effectively the same user for all applications (including Apache and
SSH).
If you do not want that what you can do is to change the first line to
something like:
auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/^\(.*\)@MYREALM.COM$/myrealm-\1/
or:
auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$/@myrealm.com/
(hopefully got the replaces right :-)
This would result in:
[email protected] -> foo
[email protected] -> myrealm-foo [or [email protected]]
So you can distinguish between the 2 users.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
