GSSAPI plugin and kerberos auth-to-local rules

Carson Gaspar carson at taltos.org
Wed Oct 7 19:40:36 EDT 2009


Guillaume Rousse wrote:
> Hello list.
> 
> I recently found than the GSSAPI plugin, used notably in openldap, 
> doesn't honor map-to-local rules, as described at
> http://www.openldap.org/lists/openldap-software/200910/msg00010.html
> 
> Is it intentional ?

No modern protocol should care. The target username should be transmitted as 
part of the application protocol - GSSAPI does authentication, not authorization 
or user name mapping. Yes, MIT krb5 (not GSSAPI) supports hacks using 
auth_to_local and auth_to_local_names, but only if you call 
krb5_aname_to_localname(), which is deprecated. I suspect mod_krb is using this 
deprecated function.

What worries me is that the native realm _is_ stripped. It shouldn't be. I'm not 
sure why gssapi_server_mech_step() does so.

-- 
Carson





More information about the Cyrus-sasl mailing list