Add a domain whitelist to Auth::Kerberos
Summary
- When using Kerberos to authenticate users from multiple domains we use a combination rule like this:
[Kerberos, AD1] or [Kerberos, AD2] or [Kerberos, AD3]
But the ordering of the rule means that a user@DOMAIN2 will be authenticated as user@DOMAIN1 if there is a user with the same name in DOMAIN1.
Design proposition
I would like to add a krbAllowedDomains parameter to the Kerberos Auth module, so that the rule can be rewritten like this:
[Kerberos1, AD1] or [Kerberos2, AD2] or [Kerberos3, AD3]
Kerberos1, Kerberos2, Kerberos3, will have overloaded krbAllowedDomains, so that a Kerberos domain can be precisely matched to its home LDAP server.