0

I am new to Kerberos. We are creating a web application that uses Kerberos authentication with Microsoft AD as the KDC. The web app runs on Linux CentOS and acts on behalf of the user (constrained delegation) to:

  1. make http requests to a REST API
  2. connect to a PostgreSQL database.

Now, if I run a kinit with my uppercased username I can successully make http requests. However, I need to run kinit with my lowercased username to connect to the database. How can I make both work at the same time? Caveat: I cannot update AD so usernames are always lowercased. Also, after authentication, authorization still requires the username in its original casing. Schematically, this illustrates the problem:

CLIENT_X > webapp > Postgres (client_x)
CLIENT_X > webapp > API server (CLIENT_X)
Albert-Jan Roskam
  • 21
  • 3

1 Answers1

0

I assume your REST server accepts the kerberos token, then verifies it (either using keytab or round trip to kdc) and obtains the user principal from it. Then on top of that, it builds its own authorization for governing access to REST APIs.
Is your authorization logic based on the principal name or username?

Postgres supports case sensitive usernames, so it makes sense to pass the kerberos token with correct case of principal.
However, as your app is relying on kerberos, means indirectly you are relying on the AD userbase (AD is case-insensitive by default).

Changing your REST API to ignore the case of user principal is one solution I could think of.
Just map the case-insensitive principal name to the username in your app.
If making the above change is not possible in your app, then I think this is a miss-configuration. abc@DOMAIN.COM is different identity than ABC@DOMAIN.COM in kerberos terms.

Bhushan Karmarkar
  • 625
  • 7
  • 22