[OpenAFS] PTS lookup via LDAP or apache2

Christopher D. Clausen cclausen@acm.org
Mon, 4 Sep 2006 17:36:28 -0500

Chris Huebsch <chris.huebsch@informatik.tu-chemnitz.de> wrote:
> Hi,
> On Mon, 4 Sep 2006, Christopher D. Clausen wrote:
>> Hmm.  If I am trying to use mod_auth_kerb (for SSO via SPNEGO) and it
>> appends a realm to the user name, is that going to cause issues?
> I do not know. What user names are in your PTS-Groups?

It did not strip the realm name.  Matt added code to support a
AuthAFSGROUP_StripRealm (on|off) option and when enabled it works with 

You already included the patch in:

To use with mod_auth_kerb, you'd do something like:

AuthType Kerberos
AuthAuthoritative off
KrbMethodNegotiate on
KrbAuthRealms ACM.UIUC.EDU
Krb5Keytab /etc/www.keytab
AuthAFSGROUP_StripRealm on
require afsgroup cclausen:self

This seems to work with SSO via KrbMethodNetogiate and correctly checks 
PTS group membership.


Thank you for this code!  Saved us some work writting it from scratch. 
We have it running in some test environments and it seems to be working 
quite well.

Christopher D. Clausen