View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
1211RackTablesdefaultpublic2014-04-08 07:542014-10-06 14:35
Reporterhc Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status acknowledgedResolutionopen 
OSLinux 
Product Version0.20.7 
Summary1211: Kerberos authentication via httpd will not work because of '@' sign prohibitede in username
DescriptionHi!

I'm trying to set up Kerberos authentication.

I changed secret.php this way:
$user_auth_src = 'httpd';
$require_local_account = FALSE;

After that I tried to log in and got next result (screenshot attached)

When I tried to add "allow {$userhame_hc@GSK.LOC}" directive to permissions, I had no success because of @-sign. Without it rule can be added, but makes no sence.
TagsNo tags attached.
Attached Files
sschot.png (20,334 bytes)   
sschot.png (20,334 bytes)   

Activities

infrastation

infrastation

2014-04-22 16:53

administrator   ~0002263

I understand the problem but don't have a good solution for it at the moment.
Barbarossa

Barbarossa

2014-05-05 02:12

reporter   ~0002279

Hi,

I guess you're using mod_auth_kerb on Apache? How about setting

  KrbLocalUserMapping On

(available since version 5.4 IIRC).

If the version is too old for that and my guess about Apache is correct, maybe you can install the mod_map_user module and put something like that

  MapUsernameRule x(.*)@(.*) "$1"

in the configuration?

Best regards
Max
infrastation

infrastation

2014-05-05 06:47

administrator   ~0002281

Do users authenticate within only one domain?
hc

hc

2014-05-05 08:49

reporter   ~0002283

Barbarossa, thanks for the proposal, will test it now

infrastation, yes, users authenticate from only one domain. It's some kind of workaround, but I think it should work for 60-70% of cases
hc

hc

2014-05-05 08:59

reporter   ~0002285

Barbarossa, thanks, the solution with KrbLocalUserMapping works!

infrastation, why not just exclude @ from prohibited symbols in 'allow' directive?
jonesg

jonesg

2014-10-06 14:35

reporter   ~0002519

Could a solution be something like rewriting the username if it contains an "@" by replacing it with something like "(at)".

We have been using another piece of software where we had to manually add a few lines that would take the username attribute from our CAS solution and rewrite it from "user@dom.ai.n" to "user(at)dom.ai.n". In other solutions we were forced to use "_" og "-" instead of "\" or "@" when authenticating against our AD.

It is a hack of sorts but it would possible to handle.

Issue History

Date Modified Username Field Change
2014-04-08 07:54 hc New Issue
2014-04-08 07:54 hc File Added: sschot.png
2014-04-22 16:53 infrastation Note Added: 0002263
2014-04-22 16:53 infrastation Status new => acknowledged
2014-05-05 02:12 Barbarossa Note Added: 0002279
2014-05-05 06:47 infrastation Note Added: 0002281
2014-05-05 08:49 hc Note Added: 0002283
2014-05-05 08:59 hc Note Added: 0002285
2014-10-06 14:35 jonesg Note Added: 0002519