[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?

To: heimdal-discuss@sics.se, Scott Grizzard <scott@scottgrizzard.com>
Subject: Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Thu, 1 May 2008 18:40:17 -0700
In-Reply-To: <481A63A5.4040200@scottgrizzard.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <481A63A5.4040200@scottgrizzard.com>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>


On May 1, 2008, at 5:43 PM, Scott Grizzard wrote:

> Here's the problem:
>
> We use Trac to manage our software development.  Currently, we use
> mod_authnz_ldap to authenticate the users against the ldap directory
> before they can access the intranet.  Trac uses the username  
> returned by
> Apache as the user that is "logged in".
>
> We have migrated on to Heimdal, and a want to use mod_auth_kerb to do
> authentication for Trac (and subversion).
>
> The issue that I am having is this: when I authenticate using
> mod_auth_kerb, the username passed to apache, and then to trac, is
> "username@MY.RELM" instead of just "username".  Is there any way to  
> tell
> apache to only return the first portion of the principle name without
> returning the relm name.

The mod_auth_kerb list is a better place for this question.  Here's a  
relevant message from earlier this year:


On Jan 8, 2008, at 9:18 PM, Rob Riggs wrote:

> Hi all,
>
> This is the result of the discussion we had a couple of weeks ago.   
> This patch adds a "Krb5AuthToLocal" directive (defaults to off) that  
> will enable Kerberos V5 auth_to_local mapping in the mod_auth_kerb  
> module.  This patch is against the patched mod_auth_kerb that is  
> part of Fedora 8.
>
> I would like to strongly encourage its adoption into the mainline of  
> mod_auth_kerb.  This patch is released to the public domain.
>
> Kindest Regards,
>
> Rob
> --- mod_auth_kerb-5.3/src/mod_auth_kerb.c.auth_to_local	2008-01-08  
> 21:41:16.000000000 -0700
> +++ mod_auth_kerb-5.3/src/mod_auth_kerb.c	2008-01-08  
> 21:47:30.000000000 -0700
> @@ -168,6 +168,7 @@
> 	char *krb_5_keytab;
> 	int krb_method_gssapi;
> 	int krb_method_k5pass;
> +	int krb5_auth_to_local;
> #endif
> #ifdef KRB4
> 	char *krb_4_srvtab;
> @@ -230,6 +231,9 @@
>
>    command("KrbMethodK5Passwd", ap_set_flag_slot, krb_method_k5pass,
>      FLAG, "Enable Kerberos V5 password authentication."),
> +
> +   command("Krb5AuthToLocal", ap_set_flag_slot, krb5_auth_to_local,
> +     FLAG, "Enable Kerberos V5 auth_to_local mapping."),
> #endif
>
> #ifdef KRB4
> @@ -298,6 +302,7 @@
> #ifdef KRB5
> 	((kerb_auth_config *)rec)->krb_method_k5pass = 1;
> 	((kerb_auth_config *)rec)->krb_method_gssapi = 1;
> +	((kerb_auth_config *)rec)->krb5_auth_to_local = 0;
> #endif
> #ifdef KRB4
> 	((kerb_auth_config *)rec)->krb_method_k4pass = 1;
> @@ -722,6 +727,78 @@
> }
>
> static int
> +do_krb5_an_to_ln(request_rec *r, const kerb_auth_config *conf,  
> MK_POOL *p)
> +{
> +	const int lname_size = 1024;
> +
> +	krb5_context kcontext;
> +	krb5_principal princ;
> +	krb5_error_code code;
> +	char lname[lname_size];
> +	int ret;
> +
> +	if (!conf->krb5_auth_to_local) {
> +		return OK;
> +	}
> +
> +	ret = HTTP_INTERNAL_SERVER_ERROR;
> +
> +	code = krb5_init_context(&kcontext);
> +	if (code) {
> +		log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> +			"Cannot initialize Kerberos5 context (%d)", code);
> +		return HTTP_INTERNAL_SERVER_ERROR;
> +	}
> +
> +    code = krb5_parse_name(kcontext, MK_USER, &princ);
> +	if (code) {
> +		log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> +			"krb5_parse_name() failed for name %s: %s",
> +			MK_USER,
> +			krb5_get_err_text(kcontext, code));
> +		krb5_free_context(kcontext);
> +		return HTTP_INTERNAL_SERVER_ERROR;
> +	}
> +
> +	code = krb5_aname_to_localname(kcontext, princ, sizeof(lname),  
> lname);
> +	if (code) {
> +		if (code != KRB5_LNAME_NOTRANS) {
> +      			log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> +				   "krb5_aname_to_localname() failed: %s",
> +	         		   krb5_get_err_text(kcontext, code));
> +			/* fall through */
> +		}
> +		else {
> +      			log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
> +				   "krb5_aname_to_localname() found no "
> +				   "mapping for principal %s",
> +				   MK_USER);
> +			/* fall through */
> +		}
> +	}
> +	else {
> +		/* Does this belong in an authz handler? */
> +		if (!krb5_kuserok(kcontext, princ, lname)) {
> +      			log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
> +				   "krb5_kuserok(%s, %s) == false",
> +				   MK_USER, lname);
> +			ret = HTTP_UNAUTHORIZED;
> +		}
> +		else {
> +      		log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
> +			   "doing auth_to_local: %s -> %s",
> +			   MK_USER, lname);
> +			MK_USER = apr_pstrdup(p, lname);
> +			ret = OK;
> +		}
> +	}
> +	krb5_free_principal(kcontext, princ);
> +	krb5_free_context(kcontext);
> +
> +	return ret;
> +}
> +
> +static int
> krb5_cache_cleanup(void *data)
> {
>    krb5_context context;
> @@ -1468,11 +1545,17 @@
>
> #ifdef KRB5
>    if (use_krb5 && conf->krb_method_gssapi &&
> -       strcasecmp(auth_type, MECH_NEGOTIATE) == 0) {
> -      ret = authenticate_user_gss(r, conf, auth_line,  
> &negotiate_ret_value);
> +	   strcasecmp(auth_type, MECH_NEGOTIATE) == 0) {
> +		ret = authenticate_user_gss(r, conf, auth_line,  
> &negotiate_ret_value);
> +		if (ret == OK) {
> +			ret = do_krb5_an_to_ln(r, conf, r->connection->pool);
> +        }
>    } else if (use_krb5 && conf->krb_method_k5pass &&
> -	      strcasecmp(auth_type, "Basic") == 0) {
> -       ret = authenticate_user_krb5pwd(r, conf, auth_line);
> +	   strcasecmp(auth_type, "Basic") == 0) {
> +		ret = authenticate_user_krb5pwd(r, conf, auth_line);
> +		if (ret == OK) {
> +			ret = do_krb5_an_to_ln(r, conf, r->pool);
> +		}
>    }
> #endif
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace_______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help



------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?
  - From: Scott Grizzard <scott@scottgrizzard.com>

References:
- mod_auth_kerb and heimdal: is there a way to remove the @MY.RELMfrom the end of a user name when the user is authenticated?
  - From: Scott Grizzard <scott@scottgrizzard.com>

Prev by Date: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELMfrom the end of a user name when the user is authenticated?
Next by Date: Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?
Prev by thread: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELMfrom the end of a user name when the user is authenticated?
Next by thread: Re: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELM from the end of a user name when the user is authenticated?
Index(es):
- Date
- Thread