Closed lavih closed 1 year ago
hawicz
commented
1 year ago You might find https://github.com/elric1/gss-token useful, at least for the decoding the token bit. Getting the groups, especially if you want to retrieve them from the PAC, is a whole separate thing.
lavih
commented
1 year ago @hawicz , thank you for your answer.
When trying to compile the tool using 'make' seems like I hit this issue: https://github.com/elric1/gss-token/issues/1
/tmp/gss-token.c:661: undefined reference to gss_name_to_oid' /tmp/gss-token.c:578: undefined reference togss_oid_to_name'
But I see no comments on it.
Regarding the authorization part, what do you think is the best approach for restrictions based on ldap/AD groups?
Thanks
hawicz
commented
1 year ago I think you'd need to install and build against the Heimdal kerberos libs. For groups, I don't know if anyone has actually implemented any code to decode the windows PAC on unix, so you're probably going to need to do some ldap queries against AD.
lavih
commented
1 year ago Thank you for the help, I have a direction now :) Closing the issue
Hey, @stnoonan Thank you for this great tool!! I would like to ask, how can I see decode in a human readable format the decoded token / www-authenticate header that i'm seeing in the nginx logs, so I can see the identity of the logged user? and later on get his ActiveDirectory groups?