Hi, my question is not directly related to IPA, but since IPA provides underlying authentication services, I think it almost fits here. I have an Apache WebDAV server that authenticates via Kerberos to IPA server. Related configuration in Apache is:
AuthType Kerberos # Essential for Windows clients to connect KrbMethodNegotiate Off KrbMethodK5Passwd On KrbAuthRealms REALM Krb5KeyTab /etc/httpd/conf/krb5.keytab KrbServiceName HTTP Require valid-user
I can login with IPA username (i.e. user) and user@REALM But I also need to login with e-mail, as user@domain, which does not work. “domain" equals “REALM", but, naturally, domain is lowercase and REALM is uppercase.
I could not find any simple solution so far. I thought I could manipulate username supplied by user and I tried to play with /etc/krb5.conf, by adding auth_to_local statements, as below:
[realms] REALM = { pkinit_anchors = FILE:/etc/ipa/ca.crt # experimenting to convert to uppercase auth_to_local = RULE:[1:$1@$0](^.*@domain$)s/@domain/@REALM/ auth_to_local = DEFAULT }
But this doesn’t work and it seems that it is not even tried by Apache/Kerberos.
Could you suggest any other solution if this is possible to achieve at all? One other way that might work is via Apache module mod_map_user, but I could not compile it on Centos7.
Thanks for you time and kind regards, Ivars
freeipa-users@lists.fedorahosted.org