Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be???

[kerbie_newbie]

Hi,

I'm pretty new to this so please excuse any confusion that creeps in ...

I'm hosting a perl based web service on a Linux/Apache box that is accessed
by Windows workstations. I have Kerberos 5 (MIT) wrapping a particular perl
cgi script and all works fine for users who have an Active Directory
account. 

I have recently come across a user who, for some reason, had an expired TGT
ticket on his PC. I'm not sure how this happens as it looks to me like every
time you logon/logoff or lock/unlock your Windows PC, your tickets are
managed for you so you always have a valid TGT. As he is on a business PC,
I'm not sure how this happens ... anyways.

What I have been told is that all other systems in the business (that are
all hosted on Windows based servers) will automatically fail over to some
forms based or ldap authentication/ADAM if the initial Kerberos
authentication fails. I have been asked to do the same and provide a means
for non-AD and expired AD/TGT holder users to authenticate against ADAM.

As far as I can tell, when using mod_auth_kerb and selecting kerberos as the
authtype it is pretty much Kerberos or nothing ... is this correct? I can
see no way to intercept the failure.

I think what would be needed is to combine the modules so that Kerberos is
tried first and then maybe something like mod_auth_ldap. I have googled this
to death and cannot see a standard way of doing it (and I'm not touching the
internal Kerberos module code as suggested on one site!!). 

I have been told I *must* get this working. 

What can I do or is there a 'simple' explanation I can give as to why I
cannot do it.

Thanks in advance,

kerbie_newbie


-- 
View this message in context: http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p22914739.html
Sent from the Kerberos - General mailing list archive at Nabble.com.