Greetings,
Regarding Magnus' patch for matching against the Kerberos realm- I'd see it as much more useful as a multi-value
configurationoption. Perhaps 'krb_alt_realms' or 'krb_realms'. This would look like:
Match against one, and only one, realm (does not have to be the realm the server is in, that's dealt with seperately):
krb_realms= 'ABC.COM'
Don't worry about the realm ever: krb_realms = '' # default, to match current krb5
Match against multiple realms: krb_realms = 'ABC.COM, DEF.ABC.COM'
Note that using multiple realms implies either no overlap, or that overlap means the same person. Additionally, I
feelwe should have an explicit 'krb_strip_realm' boolean option to enable this behaviour. If 'krb_strip_realm' is
'false'then the full user@REALM would be used. This would mean that more complex cross-realm could also be handled by
creatingusers with user@REALM and then just roles when a given user exists in multiple realms. I understand that we're
inbeta now but both of these are isolated and rather small changes, I believe. Also, Magnus has indicated that he'd be
willingto adjust his patch accordingly if this is agreed to (please correct me if I'm wrong here :).
Thanks,
Stephen
