On Oct 7, 2009, at 4:40 PM, Carson Gaspar wrote:
Guillaume Rousse wrote:
Hello list.
I recently found than the GSSAPI plugin, used notably in openldap,
doesn't honor map-to-local rules, as described at
http://www.openldap.org/lists/openldap-software/200910/msg00010.html
Is it intentional ?
No modern protocol should care. The target username should be
transmitted as
part of the application protocol - GSSAPI does authentication, not
authorization
or user name mapping. Yes, MIT krb5 (not GSSAPI) supports hacks using
auth_to_local and auth_to_local_names, but only if you call
krb5_aname_to_localname(), which is deprecated. I suspect mod_krb is
using this
deprecated function.
What worries me is that the native realm _is_ stripped. It shouldn't
be. I'm not
sure why gssapi_server_mech_step() does so.
Because most programs are only set up to handle simple usernames.
I thought it was only the Solaris implementation that did that (and
only if the realm == the default realm in [libdefaults]). I gather
you're seeing that elsewhere?
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@xxxxxxxxxxxx, or hbhotz@xxxxxxx
