Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

Russ Allbery rra at
Thu Oct 5 05:05:17 EDT 2006

"Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at> writes:

> Anyone out there whos running an Apache with mod_auth_kerb and
> mod_auth_ldap?  Im running an Apache with mod_auth_kerb perfectly.

> But we have users, which arent in our Windows AD, so they cant load the
> websites protected through mod_auth_kerb.  Is it possible to fall back
> to mod_auth_ldap, so they can manualy type in their login? (The Apache
> than check the user against the LDAP).

> I cant get running both of these modules simultanely.

At least in Apache 2.0, it is extremely difficult in Apache to get two
authentication modules to co-exist; Apache by and large considers any
particular portion of the URL space to be protected by only one
authentication scheme (possibly combined with IP address restrictions).
This is partly a limitation of Apache (particularly the configuration
syntax) and partly related to difficulties in the HTTP protocol (you can't
easily negotiate and attempt multiple authentication protocols in turn).

However, that being said, mod_auth_kerb does support:

KrbDelegateBasic on | off       (set to off by default)
   If set to 'on' this options causes that Basic authentication is always
   offered regardless setting the KrbMethodK[45]Pass directives. Then, if 
   a Basic authentication header arrives authentication decision is passed
   along to another modules. This option is a work-around for insufficient
   authentication scheme in Apache (Apache 2.1 seems to provide better support
   for multiple various authentication mechanisms).

The trick is that for this to work properly, mod_auth_kerb needs to go
first and then the other authentication module needs to follow
afterwards in the processing stack.  That's something that modules can
control in their own C code to some extent, but I don't know how you'd
control this from outside without making code modifications.

There is in theory a reworking of this in Apache 2.2, but I've been
completely unable to find any documentation for the changes outside of the
tantalizing hint in the Apache 2.2 release notes:

    The bundled authentication and authorization modules have been renamed
    along the following lines:

    * mod_auth_* -> Modules that implement an HTTP authentication mechanism
    * mod_authn_* -> Modules that provide a backend authentication provider
    * mod_authz_* -> Modules that implement authorization (or access)
    * mod_authnz_*-> Module that implements both authentication & authorization

    There is a new authentication backend provider scheme which greatly
    eases the construction of new authentication backends.

If anyone knows where this is all fully documented, I'd love to hear it.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list