Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be???

Javier Palacios javiplx at gmail.com
Tue Apr 7 15:30:25 EDT 2009


On Tue, Apr 7, 2009 at 5:50 PM, Dax Kelson <dkelson at gurulabs.com> wrote:
> On Mon, 2009-04-06 at 11:47 -0700, kerbie_newbie wrote:
>
>> As far as I can tell, when using mod_auth_kerb and selecting kerberos as the
>> authtype it is pretty much Kerberos or nothing ... is this correct? I can
>> see no way to intercept the failure.
>
> This not correct. What you want are these two directives:
>
> KrbMethodNegotiate On
> KrbMethodK5Passwd On

If I remember right, there is a directive called something like authoritative.
I did never use it but it is used to pass authentication to other
modules (again, if I remember well).
That is exactly what you need so instead of enabling password
authentication, you need to stack the ldap authentication also, and
let proceed if negotiate fails.

Anyway, take into account that both fallbacks require a secure server,
which is not the case for credential based authentication.

Javier Palacios



More information about the Kerberos mailing list