Petr Grolmus <i...@civ.zcu.cz> writes: > we would love to upgrade our WebKDC login servers to version 4.x. In our > current version (3.7.1-2) we have a small patch that overload > autentication by REMOTE_USER for personal certificates > authentication. The patch parse certificate, make sure that certificate > is issued by a proper CA and set the username with realm as > REMOTE_USER. The change is made in a subroutine "add_remuser_token" in > WebLogin.pm. This works fine and we are satisfied with it.
> If I make any changes in this subroutine in a new version of WebKDC > (debian package 4.1.0-1) nothing happens... Even if I add just at the > very beginning of the subroutine > print STDERR "Yep, I'm here\n"; > nothing is shown in server log... In webkdc.conf is usage of REMOTE_USER > permitted: > our $HONOR_REMOTE_USER = 1; > our $REMUSER_ENABLED = 1; Presumably you also have $WEBKDC_PRINCIPAL set. Could you have a KRB5CCNAME environment variable set for the Apache process? If so, it's going to call add_proxy_token instead of add_remuser_token. My guess is that's what's happening. Incidentally, I'd kind of like to fix this so that you don't have to patch the code. If I gave you a callback that you could define in the WebLogin configuration file that would be called whenever you saw a REMOTE_USER authentication and would either return the identity for which to create a webkdc-proxy token or die to throw a fatal error, would that let you be able to do this entirely in configuration? -- Russ Allbery <ea...@windlord.stanford.edu> Technical Lead, ITS Infrastructure Delivery Group, Stanford University
