Hello all. I am unsure how to get krb5_aname_to_localname to function appropriately with the KrbLocalUserMapping directive of apache's mod_auth_kerb.
It does do some transformation, converting to lowercase. However the realm part is not stripped off. Example output from apache error_log: [Thu Jan 25 11:53:33.969841 2018] [auth_kerb:debug] [pid 2176] src/mod_auth_kerb.c(1855): [client 192.168.254.170:65016] kerb_authenticate_a_name_to_local_name [email protected] -> [email protected] (All other examples I found on this list and elsewhere have output of format: ... [email protected] -> Test123 ) I have tried experimenting with auth_to_local tags in the [realms] sections of /etc/krb5.conf, but could see no evidence of the rules being invoked. i.e. Same output in the apache error log regardless. This then appears to get passed on for use in subsequent ldap authorisations (apache mod_authnz_ldap). This does not work for us as we need to authorise against stripped user names (Active Directory sAMAccount or similar; our userPrincipalName is a different format: [email protected], so can't workaround using that). Grateful for any advice, Ewae. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
