Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be???

Richard E. Silverman res at qoxp.net
Tue Apr 7 22:27:45 EDT 2009


    kn> Actually, since you say

    >>> Anyway, take into account that both fallbacks require a secure
    >>> server, which is not the case for credential based authentication.

    kn> you mean that I would need to have some local storage (on my Linux
    kn> box) of all user ids or some sort of synchronization with Active
    kn> Directory? (... or have I misunderstood?). There are more than
    kn> 50,000 users ...

No; mod_auth_kerb will do the equivalent of kinit to validate the user's
password (as well as an anti-spoof check on the KDC).

- Richard


    kn> Thanks again


    kn> kerbie_newbie wrote:
    >> 
> Thanks for the responses ... still a little confused though. In another
    >> thread I've read
    >> 
    >> " Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap
    >> 
    >> ...
    >> 
    >> At least in Apache 2.0, it is extremely difficult in Apache to get
    >> two authentication modules to co-exist; Apache by and large
    >> considers any particular portion of the URL space to be protected
    >> by only one authentication scheme (possibly combined with IP
    >> address restrictions).  This is partly a limitation of Apache
    >> (particularly the configuration syntax) and partly related to
    >> difficulties in the HTTP protocol (you can't easily negotiate and
    >> attempt multiple authentication protocols in turn).
    >> 
    >> However, that being said, mod_auth_kerb does support:
    >> 
    >> KrbDelegateBasic on | off (set to off by default) If set to 'on'
    >> this options causes that Basic authentication is always offered
    >> regardless setting the KrbMethodK[45]Pass directives. Then, if a
    >> Basic authentication header arrives authentication decision is
    >> passed along to another modules. This option is a work-around for
    >> insufficient authentication scheme in Apache (Apache 2.1 seems to
    >> provide better support for multiple various authentication
    >> mechanisms).
    >> 
    >> The trick is that for this to work properly, mod_auth_kerb needs to
    >> go first and then the other authentication module needs to follow
    >> afterwards in the processing stack. That's something that modules
    >> can control in their own C code to some extent, but I don't know
    >> how you'd control this from outside without making code
    >> modifications."
    >> 
    >> ...  "
    >> 
    >> Also, my server is not secure so Basic Authentication (which by my
    >> reckoning does not authenticate against AD) is not an option.
    >> 
    >> Thanks again.
    >> 
    >> 
    >> Javier Palacios-2 wrote:
    >>> 
>> On Tue, Apr 7, 2009 at 5:50 PM, Dax Kelson <dkelson at gurulabs.com> wrote:
>>> On Mon, 2009-04-06 at 11:47 -0700, kerbie_newbie wrote:
>>>
>>>> As far as I can tell, when using mod_auth_kerb and selecting kerberos
>>>> as the
>>>> authtype it is pretty much Kerberos or nothing ... is this correct? I
>>>> can
>>>> see no way to intercept the failure.
>>>
>>> This not correct. What you want are these two directives:
>>>
>>> KrbMethodNegotiate On
>>> KrbMethodK5Passwd On
>> 
>> If I remember right, there is a directive called something like
>> authoritative.
>> I did never use it but it is used to pass authentication to other
>> modules (again, if I remember well).
>> That is exactly what you need so instead of enabling password
>> authentication, you need to stack the ldap authentication also, and
>> let proceed if negotiate fails.
>> 
>> Anyway, take into account that both fallbacks require a secure server,
>> which is not the case for credential based authentication.
>> 
>> Javier Palacios
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>> 
>> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p22938708.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


-- 
  Richard Silverman
  res at qoxp.net




More information about the Kerberos mailing list