Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

REMOTE_USER and map_username

Russ Allbery eagle at windlord.stanford.edu
Mon Oct 15 21:06:38 PDT 2012


YANG ChengFu <youngseph at gmail.com> writes:

> I have tried UPN, it works the following option

> kinit -E firstname.lastname at example.com

> you see "-E     treats the principal name as an enterprise name."

> How can I do the same thing in webauth ?

Oh, you have to use enterprise names.  Sadly, there isn't currently an
option to do this in WebAuth, although I think it's fairly easy if you
want to try to patch it.

In lib/krb5.c in webauth_krb5_init_via_password, there is code like:

    /* Initialize arguments and set up ticket cache. */
    code = krb5_parse_name(kc->ctx, username, &kc->princ);
    if (code != 0)
        return error_set(ctx, kc, code, "cannot parse principal %s", username);

If you change that krb5_parse_name to:

    code = krb5_parse_name_flags(kc->ctx, username,
                                 KRB5_PRINCIPAL_PARSE_ENTERPRISE,
                                 &kc->princ);

I *think* that may do what you want.  I've not tested this.  If it does
work, let me know, and I can add this as an option in the next version of
WebAuth.

-- 
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University


More information about the webauth-info mailing list