Skip to content

Add support for unconstrained delegation, constrained delegation, and auth_gss_authorized_principal_regex #105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Oct 30, 2021
Merged

Add support for unconstrained delegation, constrained delegation, and auth_gss_authorized_principal_regex #105

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
68a843e
regex support for auth_gss_authorized_principal
Jul 7, 2020
7e90428
Constrained Delegation and auth_gss_authorized_principal_regex
Aug 13, 2020
6cbf251
Updated README.md
Aug 13, 2020
9593b41
Updated README.md
Aug 13, 2020
ff4954d
Updated README.md
Aug 13, 2020
9757d1e
Updated README.md
Aug 13, 2020
e9f1772
Updated README.md
Aug 13, 2020
021bd6c
Fixed indentation
Aug 13, 2020
8580a27
Updated README.md
medinski94 Aug 14, 2020
1d563d8
Added preprocessor if NGX_PCRE
medinski94 Aug 14, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,12 @@ multiple entries, one per line.
auth_gss_authorized_principal <username>@<realm>
auth_gss_authorized_principal <username2>@<realm>

Users can also be authorized using a regex pattern via the `auth_gss_authorized_principal_regex`
directive. This directive can be used together with the `auth_gss_authorized_principal` directive.

auth_gss_authorized_principal <username>@<realm>
auth_gss_authorized_principal_regex ^(<username>)/(<group>)@<realm>$

The remote user header in nginx can only be set by doing basic authentication.
Thus, this module sets a bogus basic auth header that will reach your backend
application in order to set this header/nginx variable. The easiest way to disable
Expand All @@ -72,6 +78,31 @@ be a sufficient workaround for now.
If you would like to enable GSS local name rules to rewrite usernames, you can
specify the `auth_gss_map_to_local` option.

Credential Delegation
-----------------------------

User credentials can be delegated to nginx using the `auth_gss_delegate_credentials`
directive. This directive will enable unconstrained delegation if the user chooses
to delegate their credentials. Constrained delegation (S4U2proxy) can also be enabled using the
`auth_gss_constrained_delegation` directive together with the `auth_gss_delegate_credentials`
directive. To specify the ccache file name to store the service ticket used for constrained
delegation, set the `auth_gss_service_ccache` directive. Otherwise, the default ccache name
will be used.

auth_gss_service_ccache /tmp/krb5cc_0;
auth_gss_delegate_credentials on;
auth_gss_constrained_delegation on;

The delegated credentials will be stored within the systems tmp directory. Once the
request is completed, the credentials file will be destroyed. The name of the credentials
file will be specified within the nginx variable `$krb5_cc_name`. Usage of the variable
can include passing it to a fcgi program using the `fastcgi_param` directive.

fastcgi_param KRB5CCNAME $krb5_cc_name;

Constrained delegation is currently only supported using the negotiate authentication scheme
and has only been testing with MIT Kerberos (Use at your own risk if using Heimdal Kerberos).

Basic authentication fallback
-----------------------------

Expand Down
Loading