AW: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

Michael B Allen mba2000 at ioplex.com
Tue Oct 10 12:29:14 EDT 2006


On Tue, 10 Oct 2006 08:40:55 +0200
"Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at persona.de> wrote:

> But it doesnt work.
> If they type in their user PrincipalName, i get an entry in my error log. (Specified realm `persona.de' not allowed by configuration)
<snip>
> > > get a ticket for matthias.djihangiroff at persona.de. But the realm 
> > > persona.de doesnt exists (its konzern.intern) :-)

Ahh, I see. I can think of several possible solutions:

1) Hack mod_kerb_auth to "rewrite" the email address to their correct userPrincipalName
2) Instruct users to use their correct konzern.intern domain
3) Rebuild your entire domain to use persona.de instead of konzern.inter
4) Setup a KDC for persona.de with a trust to konzern.intern

Note I know more about Negotiate auth than I do Kerberos in general so
hopefully someone will chime in if I'm wrong.

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/



More information about the Kerberos mailing list