Issue with mod_dav_svn while using KrbLocalUserMapping

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Issue with mod_dav_svn while using KrbLocalUserMapping

William Muriithi
Hello,

I have an SVN server that I want to migrate from LDAP to Kerberos.
Below is the relevant version of the packages the system is using:

mod_auth_kerb-5.4-14.el6.x86_64
mod_dav_svn-1.9.4-3.x86_64
subversion-1.9.4-3.x86_64

After making the necessary changes to work with kerberos, users were
able to authenticate well but I noticed the users ID now had kerberos
REALM.  So instead of william, the username changed to
[hidden email].  This was a problem because users started
having locking issue, but also meant authorisation was broken.

To fix this, I added  "KrbLocalUserMapping On"  on apache
configuration.  However, some user started having problem
authenticating.I am certain the problem involve LocalUserMapping as I
had the same experience yesterday and the problem cleared after
commenting out.  I have been unable to find the root cause and had to
reverse the change.

Have anyone seem such a problem before?  Would be grateful for any pointer.

Regards,
William
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Issue with mod_dav_svn while using KrbLocalUserMapping

Daniel Shahaf-2
William Muriithi wrote on Tue, Mar 07, 2017 at 19:02:39 -0500:

> After making the necessary changes to work with kerberos, users were
> able to authenticate well but I noticed the users ID now had kerberos
> REALM.  So instead of william, the username changed to
> [hidden email].  This was a problem because users started
> having locking issue, but also meant authorisation was broken.
>
> To fix this, I added  "KrbLocalUserMapping On"  on apache
> configuration.  However, some user started having problem
> authenticating.I am certain the problem involve LocalUserMapping as I
> had the same experience yesterday and the problem cleared after
> commenting out.  I have been unable to find the root cause and had to
> reverse the change.
>
> Have anyone seem such a problem before?  Would be grateful for any pointer.

Subversion is really incidental here; if your question is how to cause
mod_kerberos not to include @foo in the authenticate usernames it
reports, try asking that on the httpd/kerberos forums.
Loading...