Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?
rra at stanford.edu
Thu Oct 5 14:10:27 EDT 2006
Michael B Allen <mba2000 at ioplex.com> writes:
> Russ Allbery <rra at stanford.edu> wrote:
>> mod_auth_kerb can (via BasicAuth), but you need to have the passwords
>> in some Kerberos database. It doesn't help if they're only in LDAP.
> I'm a little confused by this statement. If mod_auth_kerb uses
> krb5_get_init_creds_password it shouldn't care where passwords are.
It only does Kerberos authentication. If the passwords are stored as
encrypted hashes in an LDAP directory server (which is what people
normally mean when they talk about "LDAP authentication"), it doesn't
> Also, AD is a "Kerberos database" and does not store passwords in the
> DIT (actually it doesn't store passwords at all AFAIK, only keys).
Yes, the original question was how to handle authentication of the users
at that site who *aren't* in AD. The original poster wasn't completely
clear on where the passwords *are* stored, but based on the question, I
presume they're encrypted hashes in LDAP.
You're correct and I was sloppy in my wording -- normally, Kerberos KDCs
only store keys, not passwords.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos