we configured apache use kerberos authentication. apache send "x-authenticated-user" header username. example:
ad domain login: smith_j@c.foo.example.com request header name: 'x-authenticated-user' value: '[smith_j@foo.example.com]' ad domain login: dibley_j@division.foo.example.com request header name: 'x-authenticated-user' value: '[dibley_j.division@foo.example.com]' my question how original ad user name "smith_j@c.foo.example.com", "dibley_j@division.foo.example.com" in apache header?
here configuration:
[root@server]$ sudo cat /etc/krb5.conf [logging] default = file:/var/log/krb5libs.log kdc = file:/var/log/krb5kdc.log admin_server = file:/var/log/kadmind.log [libdefaults] default_realm = dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] foo.example.com = { kdc = foo.example.com admin_server = foo.example.com } [domain_realm] .foo.example.com = foo.example.com foo.example.com = foo.example.com ======================================================================
[root@server]$ sudo cat server.conf <virtualhost *:80> ..... ..... ..... rewriteengine on rewritecond %{la-u:remote_user} (.+) rewriterule . - [e=ru:%1] requestheader set x-authenticated-user %{ru}e header set x-authenticated-user %{ru}e requestheader set host "site.foo.example.com" <location /> authtype kerberos authname "kerberos login" krbmethodnegotiate on krbmethodk5passwd off krb5keytab /etc/httpd/conf/http.keytab require valid-user </location> ..... ..... ..... </virtualhost>
use mod_spnego , it'll work.
Comments
Post a Comment