Hello all. I am unsure how to get krb5_aname_to_localname to function appropriately with the KrbLocalUserMapping directive of apache's mod_auth_kerb.
It does do some transformation, converting to lowercase. However the realm part is not stripped off. Example output from apache error_log: [Thu Jan 25 11:53:33.969841 2018] [auth_kerb:debug] [pid 2176] src/mod_auth_kerb.c(1855): [client 192.168.254.170:65016] kerb_authenticate_a_name_to_local_name Test123@X.Y.Z -> test123@x.y.z (All other examples I found on this list and elsewhere have output of format: ... Test123@X.Y.Z -> Test123 ) I have tried experimenting with auth_to_local tags in the [realms] sections of /etc/krb5.conf, but could see no evidence of the rules being invoked. i.e. Same output in the apache error log regardless. This then appears to get passed on for use in subsequent ldap authorisations (apache mod_authnz_ldap). This does not work for us as we need to authorise against stripped user names (Active Directory sAMAccount or similar; our userPrincipalName is a different format: Test123@Q.Y.Z, so can't workaround using that). Grateful for any advice, Ewae. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
