Closed lavih closed 1 year ago
You might find https://github.com/elric1/gss-token useful, at least for the decoding the token bit. Getting the groups, especially if you want to retrieve them from the PAC, is a whole separate thing.
@hawicz , thank you for your answer.
When trying to compile the tool using 'make' seems like I hit this issue: https://github.com/elric1/gss-token/issues/1
/tmp/gss-token.c:661: undefined reference to gss_name_to_oid' /tmp/gss-token.c:578: undefined reference to
gss_oid_to_name'
But I see no comments on it.
Regarding the authorization part, what do you think is the best approach for restrictions based on ldap/AD groups?
Thanks
I think you'd need to install and build against the Heimdal kerberos libs. For groups, I don't know if anyone has actually implemented any code to decode the windows PAC on unix, so you're probably going to need to do some ldap queries against AD.
Thank you for the help, I have a direction now :) Closing the issue
Hey, @stnoonan Thank you for this great tool!! I would like to ask, how can I see decode in a human readable format the decoded token / www-authenticate header that i'm seeing in the nginx logs, so I can see the identity of the logged user? and later on get his ActiveDirectory groups?