Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

Russ Allbery rra at stanford.edu
Thu Oct 5 14:46:56 EDT 2006


Michael B Allen <mba2000 at ioplex.com> writes:
> Russ Allbery <rra at stanford.edu> wrote:

>> It only does Kerberos authentication.  If the passwords are stored as
>> encrypted hashes in an LDAP directory server (which is what people
>> normally mean when they talk about "LDAP authentication"), it doesn't
>> help.

> Actually I think mod_auth_ldap just uses ldap_bind functions to
> "authenticate" so the passwords "stored as encrypted hashes" part still
> confuses me a little.

The typical LDAP server can usually authenticate users in several
different ways, from GSSAPI via SASL to doing callouts behind the scenes
to verify a provided password against Kerberos.  Far and away the most
common way of using an LDAP server to do authentication, however, is to
store an MD5 or similar hash of the password in an attribute and then
having the server compare hashes when the user tries to bind.  I usually
assume that method is what people are talking about when they say that
they want to authenticate against LDAP, since people who have set up other
things usually know to use more specific terminology.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list