Automagic Kerberos/LDAP intergration on Apache
Sean Myers
smyers at americanri.com
Wed Mar 28 09:27:08 EDT 2007
I would care quite a lot, and likely contribute.
--
Sean Myers
System Administrator
American Research Institute
(919) 228-4961
Edward Murrell wrote:
> Hi all,
>
> This might be somewhat off topic, so if the admin's nuke I won't be
> offended, but I'm not quite sure where else to post it, and people who
> use Kerberos might be interested.
>
> I'm in the process of writing an automagical
> Authorization/Authentication module for PHP to work with Kerberos and
> LDAP, and I'm curious to know if it would be worth putting it up on
> sourceforge, and if anyone else would use it.
>
> The module requires http://sourceforge.net/projects/modauthkerb , and
> uses this to get a string describing the connecting user. From this, it
> guesses the DNS domain, queries that domain for SRV
> <https://apollo/private/wiki/index.php?title=DNS_-_SRV&action=edit>
> records for LDAP servers, and talks to those LDAP servers for user
> information. Because this is all automagic, no configuration is
> required. Currently it only supports RFC 2307 LDAP schema, although
> patches for anything that supports the LDAP protocol would be awesome;
>
> So from the current setup it does something like this;
>
> edward at EXAMPLE.COM
> => DNS example.com
> => LDAP branch: dc=example,dc=com
> => LDAP servers: Query SRV _ldaps._tcp.dlconsulting.com &
> _ldap._tcp.dlconsulting.com
>
> It will attempt to connect to each of the ldap servers in turn, until it
> finds something that knows about the user specified in the initial
> kerberos principle. You can then query the module for information about
> the user, the groups it's in, information about those groups, and
> information about other users.
>
> Effort has gone into avoiding more round trips than necessary, and in
> the future I'll look into doing local caching.
>
> The current version runs. It's not pretty, but it's a complete rewrite
> from my original ugly as hell prototype into a nice happy PHP5 object.
>
> Would anyone else find this useful? I've got authorization from my boss
> to share this under the GPL if anyone would care.
>
> Regards
> Edward Murrell
> edward at dlconsulting.com
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list