Carson Gaspar wrote:
It is intentional, as Kerberos realms and domain parts of usernames for other authentication mechanisms are from different namespaces. I.e., in general case there is no correlation between a realm EXAMPLE.COM and a domain example.com. They can't be treated as the same type of object.Guillaume Rousse wrote:Hello list.I recently found than the GSSAPI plugin, used notably in openldap, doesn't honor map-to-local rules, as described athttp://www.openldap.org/lists/openldap-software/200910/msg00010.html Is it intentional ?
No modern protocol should care. The target username should be transmitted as part of the application protocol - GSSAPI does authentication, not authorization or user name mapping. Yes, MIT krb5 (not GSSAPI) supports hacks using auth_to_local and auth_to_local_names, but only if you call krb5_aname_to_localname(), which is deprecated. I suspect mod_krb is using this deprecated function.What worries me is that the native realm _is_ stripped. It shouldn't be. I'm not sure why gssapi_server_mech_step() does so.
The native realm is stripped only if it is the default realm. This would be consistent with how non-Kerberos username canonicalization is working.
