Re: Segfaults with mod_auth_kerb?

Hi,

        apologies for following up my own question!

Neil A. Hillard wrote:
> Neil A. Hillard wrote:
>>      as you may be aware I've managed to get mod_auth_kerb working against a
>> third party's Windows 2000 KDC.
>>
>>      Whilst testing I had a page that just displayed a 'congratulations'
>> message and the username that they had authenticated as.
>>
>>      I've now pointed Apache at the real backend server but I'm now seeing
>> segfaults!  If I remove the authentication configuration then the
>> segfaults go away.
>>
>>      I'm currently running worker threads but I have to switch to prefork as
>> I need to run PHP on the same server.  My question is really is 'Is
>> mod_auth_kerb thread safe?'.  If not then switching to prefork will
>> probably resolve this too.
> 
> I can advise that switching to a prefork mpm in Apache has resolved this
> problem.
> 
> I'm now fighting with the backend server which doesn't seem to like the
> @WINDOWSDOMAIN.CO.UK that's on the end of the username.
> 
> Has anyone come up with a RewriteRule to remove this so it's just the
> plain username that's passed to the backend server?
> 
> At the moment I'm using:
> 
> RewriteRule        .* - [env=RU:%{LA-U:REMOTE_USER}]
> RequestHeader      set X-Authenticated-User %{RU}e
> 
> 
> I'd also like to remove the Authorization header from the request to the
>  backend server but if I use:
> 
> RequestHeader unset Authorization it seems to remove it before Apache
> gets to process the request and then just loops at the authentication stage!

After posting the question I re-read the mod_rewrite manual and came up
with the following incantations:

RewriteRule        .* - [env=RU:%{LA-U:REMOTE_USER}]

RewriteCond        %{LA-U:REMOTE_USER} ^(.*)@WINDOWSDOMAIN.CO.UK$
RewriteRule        .* - [env=RU:%1]

RequestHeader      set X-Authenticated-User %{RU}e

This will essentially remove '@WINDOWSDOMAIN.CO.UK' from the header
passed to the backend server but leave any other domains.

I'd still like to remove the 'Authorization' header.  I've done this
before with mod_auth_xradius and mod_proxy without problem but it
doesn't seem to have the same effect with mod_auth_kerb.

Many thanks,


                                Neil.

-- 
Neil Hillard                    hillardn@xxxxxxxxx
Westland Helicopters Ltd.       http://www.whl.co.uk/

Disclaimer: This message does not necessarily reflect the
            views of Westland Helicopters Ltd.


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642