[OpenAFS] PTS lookup via LDAP or apache2
Christopher D. Clausen
cclausen@acm.org
Mon, 4 Sep 2006 17:36:28 -0500
Chris Huebsch <chris.huebsch@informatik.tu-chemnitz.de> wrote:
> Hi,
>
> On Mon, 4 Sep 2006, Christopher D. Clausen wrote:
>
>> Hmm. If I am trying to use mod_auth_kerb (for SSO via SPNEGO) and it
>> appends a realm to the user name, is that going to cause issues?
>
> I do not know. What user names are in your PTS-Groups?
It did not strip the realm name. Matt added code to support a
AuthAFSGROUP_StripRealm (on|off) option and when enabled it works with
mod_auth_kerb.
You already included the patch in:
http://chu.in-chemnitz.de/download/mod_auth_pam_2.0.tgz
To use with mod_auth_kerb, you'd do something like:
AuthType Kerberos
AuthAuthoritative off
AuthName "ACM.UIUC.EDU"
KrbMethodNegotiate on
KrbAuthRealms ACM.UIUC.EDU
Krb5Keytab /etc/www.keytab
AuthAFSGROUP_StripRealm on
require afsgroup cclausen:self
This seems to work with SSO via KrbMethodNetogiate and correctly checks
PTS group membership.
-----
Thank you for this code! Saved us some work writting it from scratch.
We have it running in some test environments and it seems to be working
quite well.
<<CDC
--
Christopher D. Clausen
ACM@UIUC SysAdmin