Red Hat Bugzilla – Bug 970547
Document that when running web services on IPA clients with Kerberos authentication, mod_auth_kerb returns Kerberos principal as logged user name
Last modified: 2014-07-29 16:25:48 EDT
Description of problem:
When you have a web service using normal basic authentication, your logins will look like "alice" and "bob". When you then enable mod_auth_kerb on that httpd server, the logged in user will be "alice@REALM.COM" and "bob@REALM.COM". Which are completely different users in that web application's database so after using SPNEGO, people will not see their data.
It is necessary to use a
directive which is undocumented anywhere in the mod_auth_kerb documentation beyond on line in the Changes file in the mod_auth_kerb-5.4.tar.gz:
*implemented KrbLocalUserMapping i.e. to strip @REALM from username for further use
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Enable mod_auth_kerb on your web service on IPA client based on some documentation.
That documentation will not mention KrbLocalUserMapping.
That documentation should mention KrbLocalUserMapping.
Where do you propose documenting this? Is this more appropriate for mod_auth_kerb in the man page, for example?
I'm not decided on it. On one hand we should have definitely added Krb5LocalUserMapping to the list of documented options in mod_auth_kerb. On the other, the particular behavior of forcing trusted AD users to have full qualified names (name@realm) as local names is our design decision in FreeIPA and SSSD.
For the basic documentation of that directive, I've not filed bug 970678 against mod_auth_kerb. This bugzilla should probably be used for whatever general documentation IPA has, plus for the AD user behaviour in FreeIPA/SSSD.
For the basic documentation of that directive, I've now filed bug 970678 against mod_auth_kerb. This bugzilla should probably be used for whatever general documentation IPA has, plus for the AD user behaviour in FreeIPA/SSSD.
Thanks both for discussion. Having bug against mod_auth_kerb to document the option is a good step.
From IPA side, I would just update our guide, particularly section "8.7. Using Trust with Kerberized Web Applications" in
and state that user credential will be in form of a full principal, i.e. "user@REALM" and point users to use KrbLocalUserMapping directive if they want to have just "user".
Moving to IPA doc guide component.
This has no impact on the IPA documentation (per Deon Lackey)
Jan Pazdziora has filed a bug for the kerb team to update the man page.
Is it correct that this bugzilla was NOTABUGed? I thought we'd be adding information about the credential forman and about the KrbLocalUserMapping directive per comment 8. When was the decision made not to amend the Guide?
I am not sure why it is closed. Comment 8 clearly states what needs to be done. Reopening.
Removing needinfo? flag. This was obviously an overlook on my side. Deon is taking care of the rest.
Mass closure. These bugs were live in RHEL 6.5.