Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be???
kerbie_newbie
zarafield at sky.com
Tue Apr 7 17:05:43 EDT 2009
Thanks for the responses ... still a little confused though. In another
thread I've read
"
Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap
...
At least in Apache 2.0, it is extremely difficult in Apache to get two
authentication modules to co-exist; Apache by and large considers any
particular portion of the URL space to be protected by only one
authentication scheme (possibly combined with IP address restrictions).
This is partly a limitation of Apache (particularly the configuration
syntax) and partly related to difficulties in the HTTP protocol (you can't
easily negotiate and attempt multiple authentication protocols in turn).
However, that being said, mod_auth_kerb does support:
KrbDelegateBasic on | off (set to off by default)
If set to 'on' this options causes that Basic authentication is always
offered regardless setting the KrbMethodK[45]Pass directives. Then, if
a Basic authentication header arrives authentication decision is passed
along to another modules. This option is a work-around for insufficient
authentication scheme in Apache (Apache 2.1 seems to provide better support
for multiple various authentication mechanisms).
The trick is that for this to work properly, mod_auth_kerb needs to go
first and then the other authentication module needs to follow
afterwards in the processing stack. That's something that modules can
control in their own C code to some extent, but I don't know how you'd
control this from outside without making code modifications."
...
"
Also, my server is not secure so Basic Authentication (which by my reckoning
does not authenticate against AD) is not an option.
Thanks again.
Javier Palacios-2 wrote:
>
> On Tue, Apr 7, 2009 at 5:50 PM, Dax Kelson <dkelson at gurulabs.com> wrote:
>> On Mon, 2009-04-06 at 11:47 -0700, kerbie_newbie wrote:
>>
>>> As far as I can tell, when using mod_auth_kerb and selecting kerberos as
>>> the
>>> authtype it is pretty much Kerberos or nothing ... is this correct? I
>>> can
>>> see no way to intercept the failure.
>>
>> This not correct. What you want are these two directives:
>>
>> KrbMethodNegotiate On
>> KrbMethodK5Passwd On
>
> If I remember right, there is a directive called something like
> authoritative.
> I did never use it but it is used to pass authentication to other
> modules (again, if I remember well).
> That is exactly what you need so instead of enabling password
> authentication, you need to stack the ldap authentication also, and
> let proceed if negotiate fails.
>
> Anyway, take into account that both fallbacks require a secure server,
> which is not the case for credential based authentication.
>
> Javier Palacios
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
View this message in context: http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p22938291.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
More information about the Kerberos
mailing list