GSSAPI plugin and kerberos auth-to-local rules

Alexey Melnikov alexey.melnikov at isode.com
Thu Oct 8 07:43:14 EDT 2009


Carson Gaspar wrote:

> Guillaume Rousse wrote:
>
>> Hello list.
>>
>> I recently found than the GSSAPI plugin, used notably in openldap, 
>> doesn't honor map-to-local rules, as described at
>> http://www.openldap.org/lists/openldap-software/200910/msg00010.html
>>
>> Is it intentional ?
>
It is intentional, as Kerberos realms and domain parts of usernames for 
other authentication mechanisms are from different namespaces.
I.e., in general case there is no correlation between a realm 
EXAMPLE.COM and a domain example.com. They can't be treated as the same 
type of object.

> No modern protocol should care. The target username should be 
> transmitted as part of the application protocol - GSSAPI does 
> authentication, not authorization or user name mapping. Yes, MIT krb5 
> (not GSSAPI) supports hacks using auth_to_local and 
> auth_to_local_names, but only if you call krb5_aname_to_localname(), 
> which is deprecated. I suspect mod_krb is using this deprecated function.
>
> What worries me is that the native realm _is_ stripped. It shouldn't 
> be. I'm not sure why gssapi_server_mech_step() does so.

The native realm is stripped only if it is the default realm. This would 
be consistent with how non-Kerberos username canonicalization is working.



More information about the Cyrus-sasl mailing list