Menu
▾
▴
Re: [Cosign-discuss] passwd keyword for kerberos, login field, and Cosign user
|
From: Andrew C. <pha...@gm...> - 2009-04-23 20:49:43
|
On Thu, Apr 23, 2009 at 4:38 PM, Phil Pishioneri <pg...@ps...> wrote: > First time I'm trying out the _passwd_ keyword (in v3, not 2.x), having > trouble keeping the username as just the kerberos principal. > > Let's say my krb5 realm is K.PSU.EDU. Either of the following two config > entries > > passwd kerberos ([^@]+) $1@K.PSU.EDU K.PSU.EDU > passwd kerberos ([^@]+) $1 K.PSU.EDU [using the default realm in > krb5.conf] > > will work if someone enters their account name as "foo" in the _login_ input > field. (USER="foo", REALM="K.PSU.EDU") > > I'd like to add another config line so that if someone entered > "foo@K.PSU.EDU" into the login field, it would be equivalent to the above > keywords, setting the User to "foo". My attempts: > > passwd kerberos ([^@]+)@K.PSU.EDU $1@K.PSU.EDU K.PSU.EDU > passwd kerberos ([^@]+)@(K\.PSU\.EDU) $1@K.PSU.EDU K.PSU.EDU > > etc., are all the same. Whatever string is entered into the login field, > becomes the USER: "foo@K.PSU.EDU" (for that input). The realm is set > correctly, and the kerberos ticket is the desired one. Even > > passwd kerberos ([^@]+)@bar $1@K.PSU.EDU K.PSU.EDU > > gets the user set to "foo@bar" (for that input). Seems to be acting like > the mysql option (using the "email address"), where I'd prefer that it just > used the principal (and /instance if set?). > > Is this the intended behavior? What we do here is something like this, which should work for 3.0 (assuming that part of the code hasn't changed, still need to test that): passwd kerberos ([^@]+) $1 BX.PSU.EDU I tried to do something fancy like you had above and just match with something like passwd kerberos (.+)@BX.PSU.EDU $1 BX.PSU.EDU but gave up as backrefs didn't quite seem to be working correctly We also have some javascript that appends the realm to the login variable before submitting, which plays into our use of a drop-down dialog to allow the user to select the realm to login to. You could probably do something similar to strip off your 'default' realm before submission if the user inputs that. --andy |