Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

Russ Allbery rra at
Thu Oct 5 14:10:27 EDT 2006

Michael B Allen <mba2000 at> writes:
> Russ Allbery <rra at> wrote:

>> mod_auth_kerb can (via BasicAuth), but you need to have the passwords
>> in some Kerberos database.  It doesn't help if they're only in LDAP.

> I'm a little confused by this statement. If mod_auth_kerb uses
> krb5_get_init_creds_password it shouldn't care where passwords are.

It only does Kerberos authentication.  If the passwords are stored as
encrypted hashes in an LDAP directory server (which is what people
normally mean when they talk about "LDAP authentication"), it doesn't

> Also, AD is a "Kerberos database" and does not store passwords in the
> DIT (actually it doesn't store passwords at all AFAIK, only keys).

Yes, the original question was how to handle authentication of the users
at that site who *aren't* in AD.  The original poster wasn't completely
clear on where the passwords *are* stored, but based on the question, I
presume they're encrypted hashes in LDAP.

You're correct and I was sloppy in my wording -- normally, Kerberos KDCs
only store keys, not passwords.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list