Hi,
my question is not directly related to IPA, but since IPA provides underlying authentication services, I think it almost fits here.
I have an Apache WebDAV server that authenticates via Kerberos to IPA server.
Related configuration in Apache is:
AuthType Kerberos
# Essential for Windows clients to connect
KrbMethodNegotiate Off
KrbMethodK5Passwd On
KrbAuthRealms REALM
Krb5KeyTab /etc/httpd/conf/krb5.keytab
KrbServiceName HTTP
Require valid-user
I can login with IPA username (i.e. user) and user@REALM
But I also need to login with e-mail, as user@domain, which does not work.
“domain" equals “REALM", but, naturally, domain is lowercase and REALM is uppercase.
I could not find any simple solution so far. I thought I could manipulate username supplied by user and I tried to play with /etc/krb5.conf, by adding auth_to_local statements, as below:
[realms]
REALM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
# experimenting to convert to uppercase
auth_to_local = RULE:[1:$1@$0](^.*@domain$)s/@domain/@REALM/
auth_to_local = DEFAULT
}
But this doesn’t work and it seems that it is not even tried by Apache/Kerberos.
Could you suggest any other solution if this is possible to achieve at all?
One other way that might work is via Apache module mod_map_user, but I could not compile it on Centos7.
Thanks for you time and kind regards,
Ivars