The control API command KERB_USER
sets which Kerberos user to use for which mapping. For each mapping only one kerberos user can be set. Therefore a command with a mapping specification will override any value with the same mapping specification. Similarly a command without mapping specification will override the global kerberos user. Cross-realm authentication is possible with both, Kerberos Constrained Delegation (KCD) and Resource Based Kerberos Constrained Delegation (RBKCD).
;; KERB_USER kerberos-user-command = kerberos-user-command-name "=" kerberos-user-command-value kerberos-user-command-name = "KERB_USER" kerberos-user-command-value = kerberos-user-values kerberos-user-values = kerberos-user-value [ "," kerberos-user-values ] kerberos-user-value = percent-encoded-domain-and-user [ "@" [ mapping-name ] ] domain-and-user = [ domain ] "\" [ user ]
When a Kerberos user is searched for the current mapping the most qualified user will be selected. That means that a user entry with a matching mapping will be preferred over a user entry without a defined mapping.
If a user is given and no domain is specified, a service ticket will be acquired for the user in the current domain. The current domain is defined by the Kerberos environment configured in the back-end group of the issuing request. If a domain name is given, the service ticket will be acquired for the user in the given domain.
Sending the command with an empty user definition deletes the entry for the given mapping. If both the mapping and the user definitions are empty, all entries are removed.
Example:
The pseudo code example below shows how to use this command.
Set user "john" on mapping "mapping_a"
Pseudo code:
response.header="Set-Cookie: AL_CONTROL="+URL_Encode("KERB_USER="+URL_Encode(UTF8_Encode("john"))+"@mapping_a")
Results in:
Set-Cookie: AL_CONTROL=KERB_USER%3Djohn%40mapping_a
Set user "susan" for all mappings
Pseudo code:
response.header="Set-Cookie: AL_CONTROL="+URL_Encode("KERB_USER="+URL_Encode(UTF8_Encode("susan")))
Results in:
Set-Cookie: AL_CONTROL=KERB_USER%3Dsusan
Set user "thiago" on all mappings with domain specification (cross-domain)
Pseudo code:
response.header="Set-Cookie: AL_CONTROL="+URL_Encode("KERB_USER="+URL_Encode(UTF8_Encode("other_domain\\thiago")))))
Results in:
Set-Cookie: AL_CONTROL=KERB_USER%3DOTHER_DOMAIN%255Cthiago
Remove the entry for mapping "mapping_b"
Pseudo code:
response.header="Set-Cookie: AL_CONTROL="+URL_Encode("KERB_USER="+URL_Encode(UTF8_Encode(""))+"@mapping_b")
Results in:
Set-Cookie: AL_CONTROL=KERB_USER%3D%40mapping_b
Remove all user entries
Pseudo code:
response.header="Set-Cookie: AL_CONTROL="+URL_Encode("KERB_USER="+URL_Encode(UTF8_Encode("")))
Results in:
Set-Cookie: AL_CONTROL=KERB_USER%3D