On 13 Oct, 17:28, Chris Cowley <chriscowleyso...@googlemail.com> wrote: > Hello all > > I am trying to tweak my mod_auth_kerb setup. Currently it works > nicely, I am able to authenticate to web pages on our intranet and > everything is dandy. > > The problem I am having is the contents of Apache's REMOTE_USER > variable. Currently it has my REALM on the end, which I do not want. I > have upgraded to mod_auth_kerb 5.4 which introduced an > "KrbLocalUserMapping" option. As you can see in the log below it > rewriting my principal, but then I am not found in AD. the value I am > being re-written to matches my sAMAccount name, so it should be found. > > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1578): [client > 172.19.77.8] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1213): [client > 172.19.77.8] Acquiring creds for HTTP/svn.snellwilcox.local > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1335): [client > 172.19.77.8] Verifying client data using KRB5 GSS-API > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1351): [client > 172.19.77.8] Client didn't delegate us their credential > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1370): [client > 172.19.77.8] GSS-API token of length 161 bytes will be sent back > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1484): [client > 172.19.77.8] kerb_authenticate_a_name_to_local_name > chriscow...@snellwilcox.local -> ChrisCowley > [Tue Oct 13 17:13:26 2009] [debug] mod_authnz_ldap.c(561): [client > 172.19.77.8] ldap authorize: Creating LDAP req structure > [Tue Oct 13 17:13:26 2009] [debug] mod_authnz_ldap.c(573): [client > 172.19.77.8] auth_ldap authorise: User DN not found, User not found > > http.conf: > AuthType Kerberos > AuthName "Subversion - use your SNELLWILCOX domain login (as > used to log in to Windows" > Krb5Keytab /etc/kerberos/svn.keytab > KrbVerifyKDC On > KrbMethodNegotiate On > KrbMethodK5Passwd On > KrbAuthRealms SNELLWILCOX.LOCAL > KrbLocalUserMapping on > > AuthLDAPBindDN <binddn> > AuthLDAPBindPassword <password> > AuthLDAPURL > ldap://<windoze_dn>/OU=SnellWilcox,DC=snellwilcox,DC=local?userPrincipalName,sAMAccountName,mail,displayname,cn?sub?(objectClass=*) > > require ldap-attribute > msSFU30PosixMemberOf="CN=SG_Linux_CVS_IT,OU=Linux Authentication > Groups,OU=Security Groups,OU=SnellWilcox,DC=snellwilcox,DC=local"
Also, if anyone has a better way to do it (mod_rewrite) that would be considered. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos