Kerberos for authentication, php for authorization
Michael B Allen
mba2000 at ioplex.com
Fri Jun 8 12:34:19 EDT 2007
On Fri, 8 Jun 2007 09:00:09 +0100
Simon Wilkinson <simon at sxw.org.uk> wrote:
> Ultimately, this means you may need to have a keytab containing
> multiple different prinicpals for your service, and have
> mod_auth_kerb accept any one of these principals. Unfortunately, the
> code isn't there to do that in current mod_auth_kerb's.
This seems odd to me. The krb5 lib should automatically seek out the
right key by searching for the desired principal, enctype and kvno.
I have tested this. The setup script for our product will generate a
keytab with an entry for each SPN mapped to the Windows account. Then
you can use any one of those hostnames and it works equally well.
What is it that mod_auth_kerb is doing differently?
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
More information about the Kerberos
mailing list