Stephen Frost wrote:
> Greetings,
>
> Regarding Magnus' patch for matching against the Kerberos realm- I'd
> see it as much more useful as a multi-value configuration option.
> Perhaps 'krb_alt_realms' or 'krb_realms'. This would look like:
>
> Match against one, and only one, realm (does not have to be the realm
> the server is in, that's dealt with seperately):
> krb_realms = 'ABC.COM'
>
> Don't worry about the realm ever:
> krb_realms = '' # default, to match current krb5
>
> Match against multiple realms:
> krb_realms = 'ABC.COM, DEF.ABC.COM'
>
> Note that using multiple realms implies either no overlap, or that
> overlap means the same person.
>
> Additionally, I feel we should have an explicit 'krb_strip_realm'
> boolean option to enable this behaviour. If 'krb_strip_realm' is
> 'false' then the full user@REALM would be used. This would mean that
> more complex cross-realm could also be handled by creating users with
> user@REALM and then just roles when a given user exists in multiple
> realms.
>
> I understand that we're in beta now but both of these are isolated and
> rather small changes, I believe. Also, Magnus has indicated that he'd
> be willing to adjust his patch accordingly if this is agreed to
> (please correct me if I'm wrong here :).
I've committed the patch as it was without this, because that's still
better than what we have now.
Just for the record, I've indicated that I'm willing to add the
multi-realm match part of that, but I'm not sure we want to dig into the
"krb_strip_realm" stuff this late in the cycle. At least unless someone
can confirm that we won't have issues *elswhere* from passing in very
long usernames in what I believe is not entirely specified formats.
I will try to work on the multi-realm stuff next week, unless someone
wants to beat me to it...
//Magnus