Regex/PCRE support for auth_to_local RULEs

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Regex/PCRE support for auth_to_local RULEs

Protulipac, Michael
Hello -

Not sure where best to post this question and/or enhancement request.   If inappropriate for this distribution, kindly advise routing.

We are trying to migrate from QAS/VAS (Quest Authentication Services) to an open source based solution.  We have Active Directory for the KDC, MS windows clients and RedHat linux servers running Cloudera Hadoop.  When we enable SSHD GSS API, we find a case sensitivity issue with our windows principal names (Windows acquires KRB tickets using uppercase userId's).  We have success when we map uppercase users to lowercase in  auth_to_local_names or auth_to_local defining an explicit search and replace RULE.  The issue is we have 50k+ users that cannot be easily added yet maintained in this manner.

Cloudera seems to implement a similar auth_to_local RULE base method to their java processs that enables a "to lowercase" feature leveraging a /L switch: https://www.cloudera.com/documentation/enterprise/5-3-x/topics/cdh_sg_kerbprin_to_sn.html

A simple auth_to_local = RULE:[1:$1]/L would meet our requirements (better yet if we had full PCRE support).

It does not seem to be trivial to change this on the AD or windows client side.  Has the Kerberos team considered adding PCRE support to the RULE functionality or have another method to deal with windows/linux integrations (system that is case aware to one that is case aware and sensitive)?  Are there any alternatives/options/other paths we could entertain?

Thanks for your time and please advise,

Mike



The contents of this email are the property of PNC. If it was not addressed to you, you have no legal right to read it. If you think you received it in error, please notify the sender. Do not forward or copy without permission of the sender. This message may be considered a commercial electronic message under Canadian law or this message may contain an advertisement of a product or service and thus may constitute a commercial electronic mail message under US law. You may unsubscribe at any time from receiving commercial electronic messages from PNC at http://pages.e.pnc.com/globalunsub/
PNC, 249 Fifth Avenue, Pittsburgh, PA 15222; pnc.com


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Regex/PCRE support for auth_to_local RULEs

Greg Hudson
On 09/11/2017 10:50 AM, Protulipac, Michael wrote:
> It does not seem to be trivial to change this on the AD or windows client side.  Has the Kerberos team considered adding PCRE support to the RULE functionality or have another method to deal with windows/linux integrations (system that is case aware to one that is case aware and sensitive)?  Are there any alternatives/options/other paths we could entertain?

I don't think we'd want to add a dependency on the PCRE library from
libkrb5, but I'm open to adding case-folding support in one form or
another.  (I'm not immediately sure how it should work in detail.)

One alternative option (in 1.12 or later) is to create, install, and
register a localauth module:

http://web.mit.edu/kerberos/krb5-latest/doc/plugindev/localauth.html
http://web.mit.edu/kerberos/krb5-latest/doc/plugindev/general.html
http://web.mit.edu/kerberos/krb5-latest/doc/admin/host_config.html#plugin-config
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: EXTERNAL: Re: Regex/PCRE support for auth_to_local RULEs

Protulipac, Michael
Thanks for the response and consideration.  I understand the reluctance to add the PCRE dependency.  I would be happy help any way I can in regards to case folding support... provide information and/or testing etc.

I am not sure there is a huge appetite in writing our own module (being part of a bank, they typically frown on rolling/supporting our own) but nonetheless, looks to be an avenue.

Thanks,

Mike

-----Original Message-----
From: Greg Hudson [mailto:[hidden email]]
Sent: Tuesday, September 12, 2017 10:30 AM
To: Protulipac, Michael <[hidden email]>; [hidden email]
Subject: EXTERNAL: Re: Regex/PCRE support for auth_to_local RULEs

On 09/11/2017 10:50 AM, Protulipac, Michael wrote:
> It does not seem to be trivial to change this on the AD or windows client side.  Has the Kerberos team considered adding PCRE support to the RULE functionality or have another method to deal with windows/linux integrations (system that is case aware to one that is case aware and sensitive)?  Are there any alternatives/options/other paths we could entertain?

I don't think we'd want to add a dependency on the PCRE library from libkrb5, but I'm open to adding case-folding support in one form or another.  (I'm not immediately sure how it should work in detail.)

One alternative option (in 1.12 or later) is to create, install, and register a localauth module:

http://web.mit.edu/kerberos/krb5-latest/doc/plugindev/localauth.html
http://web.mit.edu/kerberos/krb5-latest/doc/plugindev/general.html
http://web.mit.edu/kerberos/krb5-latest/doc/admin/host_config.html#plugin-config



The contents of this email are the property of PNC. If it was not addressed to you, you have no legal right to read it. If you think you received it in error, please notify the sender. Do not forward or copy without permission of the sender. This message may be considered a commercial electronic message under Canadian law or this message may contain an advertisement of a product or service and thus may constitute a commercial electronic mail message under US law. You may unsubscribe at any time from receiving commercial electronic messages from PNC at http://pages.e.pnc.com/globalunsub/
PNC, 249 Fifth Avenue, Pittsburgh, PA 15222; pnc.com



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos