Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be???
kerbie_newbie
zarafield at sky.com
Mon Apr 6 14:47:59 EDT 2009
Hi,
I'm pretty new to this so please excuse any confusion that creeps in ...
I'm hosting a perl based web service on a Linux/Apache box that is accessed
by Windows workstations. I have Kerberos 5 (MIT) wrapping a particular perl
cgi script and all works fine for users who have an Active Directory
account.
I have recently come across a user who, for some reason, had an expired TGT
ticket on his PC. I'm not sure how this happens as it looks to me like every
time you logon/logoff or lock/unlock your Windows PC, your tickets are
managed for you so you always have a valid TGT. As he is on a business PC,
I'm not sure how this happens ... anyways.
What I have been told is that all other systems in the business (that are
all hosted on Windows based servers) will automatically fail over to some
forms based or ldap authentication/ADAM if the initial Kerberos
authentication fails. I have been asked to do the same and provide a means
for non-AD and expired AD/TGT holder users to authenticate against ADAM.
As far as I can tell, when using mod_auth_kerb and selecting kerberos as the
authtype it is pretty much Kerberos or nothing ... is this correct? I can
see no way to intercept the failure.
I think what would be needed is to combine the modules so that Kerberos is
tried first and then maybe something like mod_auth_ldap. I have googled this
to death and cannot see a standard way of doing it (and I'm not touching the
internal Kerberos module code as suggested on one site!!).
I have been told I *must* get this working.
What can I do or is there a 'simple' explanation I can give as to why I
cannot do it.
Thanks in advance,
kerbie_newbie
--
View this message in context: http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p22914739.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
More information about the Kerberos
mailing list