我们将Apache配置为使用Kerberos身份验证。 Apache只使用用户名发送“X-Authenticated-User”标头。例如:
AD domain login: smith_j@c.foo.example.com
Request Header name: 'x-authenticated-user' value: '[Smith_j@FOO.EXAMPLE.COM]'
AD domain login: dibley_j@division.foo.example.com
Request Header name: 'x-authenticated-user' value: '[dibley_j.division@FOO.EXAMPLE.COM]'
我的问题是如何在apache标题中获取原始AD用户名,如“smith_j@c.foo.example.com”,“dibley_j @division.foo.example.com”?
这是我的配置:
[root@server]$ sudo cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm =
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
FOO.EXAMPLE.COM = {
kdc = foo.example.com
admin_server = foo.example.com
}
[domain_realm]
.foo.example.com = FOO.EXAMPLE.COM
foo.example.com = FOO.EXAMPLE.COM
=============================================== =======================
[root@server]$ sudo cat server.conf
<VirtualHost *:80>
.....
.....
.....
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X-Authenticated-User %{RU}e
Header set X-Authenticated-User %{RU}e
RequestHeader set Host "site.foo.example.com"
<Location />
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
Krb5KeyTab /etc/httpd/conf/http.keytab
require valid-user
</Location>
.....
.....
.....
</VirtualHost>