Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

Michael B Allen mba2000 at
Thu Oct 5 13:52:55 EDT 2006

On Thu, 05 Oct 2006 10:13:53 -0700
Russ Allbery <rra at> wrote:

> Michael B Allen <mba2000 at> writes:
> > "Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at> wrote:
> >> Anyone out there whos running an Apache with mod_auth_kerb and
> >> mod_auth_ldap?
> >> Im running an Apache with mod_auth_kerb perfectly.
> >> But we have users, which arent in our Windows AD, so they cant load the
> >> websites protected through mod_auth_kerb.
> >> Is it possible to fall back to mod_auth_ldap, so they can manualy type
> >> in their login? (The Apache than check the user against the LDAP).
> > I don't know the answer to this (my understanding is that trying to
> > stack mod_auth_* modules together is not practical) but I just want to
> > point out that you can use krb5_get_init_creds_password to do Basic so
> > there's no reason to use LDAP at all. In fact using LDAP as a make-shift
> > authentication service is crude and insecure. Wether or not mod_auth_kerb
> > can do it I have no idea.
> mod_auth_kerb can (via BasicAuth), but you need to have the passwords in
> some Kerberos database.  It doesn't help if they're only in LDAP.

I'm a little confused by this statement. If mod_auth_kerb uses
krb5_get_init_creds_password it shouldn't care where passwords are. Also,
AD is a "Kerberos database" and does not store passwords in the DIT
(actually it doesn't store passwords at all AFAIK, only keys).


Michael B Allen
PHP Active Directory SSO

More information about the Kerberos mailing list