Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?
Michael B Allen
mba2000 at ioplex.com
Thu Oct 5 13:52:55 EDT 2006
On Thu, 05 Oct 2006 10:13:53 -0700
Russ Allbery <rra at stanford.edu> wrote:
> Michael B Allen <mba2000 at ioplex.com> writes:
> > "Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at persona.de> wrote:
>
> >> Anyone out there whos running an Apache with mod_auth_kerb and
> >> mod_auth_ldap?
> >> Im running an Apache with mod_auth_kerb perfectly.
>
> >> But we have users, which arent in our Windows AD, so they cant load the
> >> websites protected through mod_auth_kerb.
> >> Is it possible to fall back to mod_auth_ldap, so they can manualy type
> >> in their login? (The Apache than check the user against the LDAP).
>
> > I don't know the answer to this (my understanding is that trying to
> > stack mod_auth_* modules together is not practical) but I just want to
> > point out that you can use krb5_get_init_creds_password to do Basic so
> > there's no reason to use LDAP at all. In fact using LDAP as a make-shift
> > authentication service is crude and insecure. Wether or not mod_auth_kerb
> > can do it I have no idea.
>
> mod_auth_kerb can (via BasicAuth), but you need to have the passwords in
> some Kerberos database. It doesn't help if they're only in LDAP.
I'm a little confused by this statement. If mod_auth_kerb uses
krb5_get_init_creds_password it shouldn't care where passwords are. Also,
AD is a "Kerberos database" and does not store passwords in the DIT
(actually it doesn't store passwords at all AFAIK, only keys).
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
More information about the Kerberos
mailing list