GSSAPI plugin and kerberos auth-to-local rules

Henry B. Hotz hotz at jpl.nasa.gov
Wed Oct 7 20:39:58 EDT 2009


On Oct 7, 2009, at 4:40 PM, Carson Gaspar wrote:

> Guillaume Rousse wrote:
>> Hello list.
>>
>> I recently found than the GSSAPI plugin, used notably in openldap,
>> doesn't honor map-to-local rules, as described at
>> http://www.openldap.org/lists/openldap-software/200910/msg00010.html
>>
>> Is it intentional ?
>
> No modern protocol should care. The target username should be  
> transmitted as
> part of the application protocol - GSSAPI does authentication, not  
> authorization
> or user name mapping. Yes, MIT krb5 (not GSSAPI) supports hacks using
> auth_to_local and auth_to_local_names, but only if you call
> krb5_aname_to_localname(), which is deprecated. I suspect mod_krb is  
> using this
> deprecated function.
>
> What worries me is that the native realm _is_ stripped. It shouldn't  
> be. I'm not
> sure why gssapi_server_mech_step() does so.

Because most programs are only set up to handle simple usernames.

I thought it was only the Solaris implementation that did that (and  
only if the realm == the default realm in [libdefaults]).  I gather  
you're seeing that elsewhere?

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu





More information about the Cyrus-sasl mailing list