Automagic Kerberos/LDAP intergration on Apache

Sean Myers smyers at americanri.com
Wed Mar 28 09:27:08 EDT 2007


I would care quite a lot, and likely contribute.

--
Sean Myers
System Administrator
American Research Institute
(919) 228-4961


Edward Murrell wrote:
> Hi all,
> 
> This might be somewhat off topic, so if the admin's nuke I won't be
> offended, but I'm not quite sure where else to post it, and people who
> use Kerberos might be interested.
> 
> I'm in the process of writing an automagical
> Authorization/Authentication module for PHP to work with Kerberos and
> LDAP, and I'm curious to know if it would be worth putting it up on
> sourceforge, and if anyone else would use it.
> 
> The module requires http://sourceforge.net/projects/modauthkerb , and
> uses this to get a string describing the connecting user. From this, it
> guesses the DNS domain, queries that domain for SRV
> <https://apollo/private/wiki/index.php?title=DNS_-_SRV&action=edit>
> records for LDAP servers, and talks to those LDAP servers for user
> information. Because this is all automagic, no configuration is
> required. Currently it only supports RFC 2307 LDAP schema, although
> patches for anything that supports the LDAP protocol would be awesome;
> 
> So from the current setup it does something like this;
> 
> edward at EXAMPLE.COM
> => DNS example.com
> => LDAP branch: dc=example,dc=com
> => LDAP servers: Query SRV _ldaps._tcp.dlconsulting.com &
> _ldap._tcp.dlconsulting.com
> 
> It will attempt to connect to each of the ldap servers in turn, until it
> finds something that knows about the user specified in the initial
> kerberos principle. You can then query the module for information about
> the user, the groups it's in, information about those groups, and
> information about other users.
> 
> Effort has gone into avoiding more round trips than necessary, and in
> the future I'll look into doing local caching.
> 
> The current version runs. It's not pretty, but it's a complete rewrite
> from my original ugly as hell prototype into a nice happy PHP5 object.
> 
> Would anyone else find this useful? I've got authorization from my boss
> to share this under the GPL if anyone would care.
> 
> Regards
> Edward Murrell
> edward at dlconsulting.com
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list