Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be???

kerbie_newbie zarafield at sky.com
Tue Apr 7 17:28:51 EDT 2009


Actually, since you say

>>Anyway, take into account that both fallbacks require a secure server,
>>which is not the case for credential based authentication.

you mean that I would need to have some local storage (on my Linux box) of
all user ids or some sort of synchronization with Active Directory? (... or
have I misunderstood?). There are more than 50,000 users ...

Thanks again


kerbie_newbie wrote:
> 
> Thanks for the responses ... still a little confused though. In another
> thread I've read
> 
> "
> Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap
> 
> ...
> 
> At least in Apache 2.0, it is extremely difficult in Apache to get two
> authentication modules to co-exist; Apache by and large considers any
> particular portion of the URL space to be protected by only one
> authentication scheme (possibly combined with IP address restrictions).
> This is partly a limitation of Apache (particularly the configuration
> syntax) and partly related to difficulties in the HTTP protocol (you can't
> easily negotiate and attempt multiple authentication protocols in turn).
> 
> However, that being said, mod_auth_kerb does support:
> 
> KrbDelegateBasic on | off (set to off by default)
> If set to 'on' this options causes that Basic authentication is always
> offered regardless setting the KrbMethodK[45]Pass directives. Then, if
> a Basic authentication header arrives authentication decision is passed
> along to another modules. This option is a work-around for insufficient
> authentication scheme in Apache (Apache 2.1 seems to provide better
> support
> for multiple various authentication mechanisms).
> 
> The trick is that for this to work properly, mod_auth_kerb needs to go
> first and then the other authentication module needs to follow
> afterwards in the processing stack. That's something that modules can
> control in their own C code to some extent, but I don't know how you'd
> control this from outside without making code modifications."
> 
> ...
> "
> 
> Also, my server is not secure so Basic Authentication (which by my
> reckoning does not authenticate against AD) is not an option.
> 
> Thanks again.
>  
> 
> Javier Palacios-2 wrote:
>> 
>> On Tue, Apr 7, 2009 at 5:50 PM, Dax Kelson <dkelson at gurulabs.com> wrote:
>>> On Mon, 2009-04-06 at 11:47 -0700, kerbie_newbie wrote:
>>>
>>>> As far as I can tell, when using mod_auth_kerb and selecting kerberos
>>>> as the
>>>> authtype it is pretty much Kerberos or nothing ... is this correct? I
>>>> can
>>>> see no way to intercept the failure.
>>>
>>> This not correct. What you want are these two directives:
>>>
>>> KrbMethodNegotiate On
>>> KrbMethodK5Passwd On
>> 
>> If I remember right, there is a directive called something like
>> authoritative.
>> I did never use it but it is used to pass authentication to other
>> modules (again, if I remember well).
>> That is exactly what you need so instead of enabling password
>> authentication, you need to stack the ldap authentication also, and
>> let proceed if negotiate fails.
>> 
>> Anyway, take into account that both fallbacks require a secure server,
>> which is not the case for credential based authentication.
>> 
>> Javier Palacios
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>> 
>> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p22938708.html
Sent from the Kerberos - General mailing list archive at Nabble.com.




More information about the Kerberos mailing list