Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be???
Richard E. Silverman
res at qoxp.net
Tue Apr 7 22:27:45 EDT 2009
kn> Actually, since you say
>>> Anyway, take into account that both fallbacks require a secure
>>> server, which is not the case for credential based authentication.
kn> you mean that I would need to have some local storage (on my Linux
kn> box) of all user ids or some sort of synchronization with Active
kn> Directory? (... or have I misunderstood?). There are more than
kn> 50,000 users ...
No; mod_auth_kerb will do the equivalent of kinit to validate the user's
password (as well as an anti-spoof check on the KDC).
- Richard
kn> Thanks again
kn> kerbie_newbie wrote:
>>
> Thanks for the responses ... still a little confused though. In another
>> thread I've read
>>
>> " Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap
>>
>> ...
>>
>> At least in Apache 2.0, it is extremely difficult in Apache to get
>> two authentication modules to co-exist; Apache by and large
>> considers any particular portion of the URL space to be protected
>> by only one authentication scheme (possibly combined with IP
>> address restrictions). This is partly a limitation of Apache
>> (particularly the configuration syntax) and partly related to
>> difficulties in the HTTP protocol (you can't easily negotiate and
>> attempt multiple authentication protocols in turn).
>>
>> However, that being said, mod_auth_kerb does support:
>>
>> KrbDelegateBasic on | off (set to off by default) If set to 'on'
>> this options causes that Basic authentication is always offered
>> regardless setting the KrbMethodK[45]Pass directives. Then, if a
>> Basic authentication header arrives authentication decision is
>> passed along to another modules. This option is a work-around for
>> insufficient authentication scheme in Apache (Apache 2.1 seems to
>> provide better support for multiple various authentication
>> mechanisms).
>>
>> The trick is that for this to work properly, mod_auth_kerb needs to
>> go first and then the other authentication module needs to follow
>> afterwards in the processing stack. That's something that modules
>> can control in their own C code to some extent, but I don't know
>> how you'd control this from outside without making code
>> modifications."
>>
>> ... "
>>
>> Also, my server is not secure so Basic Authentication (which by my
>> reckoning does not authenticate against AD) is not an option.
>>
>> Thanks again.
>>
>>
>> Javier Palacios-2 wrote:
>>>
>> On Tue, Apr 7, 2009 at 5:50 PM, Dax Kelson <dkelson at gurulabs.com> wrote:
>>> On Mon, 2009-04-06 at 11:47 -0700, kerbie_newbie wrote:
>>>
>>>> As far as I can tell, when using mod_auth_kerb and selecting kerberos
>>>> as the
>>>> authtype it is pretty much Kerberos or nothing ... is this correct? I
>>>> can
>>>> see no way to intercept the failure.
>>>
>>> This not correct. What you want are these two directives:
>>>
>>> KrbMethodNegotiate On
>>> KrbMethodK5Passwd On
>>
>> If I remember right, there is a directive called something like
>> authoritative.
>> I did never use it but it is used to pass authentication to other
>> modules (again, if I remember well).
>> That is exactly what you need so instead of enabling password
>> authentication, you need to stack the ldap authentication also, and
>> let proceed if negotiate fails.
>>
>> Anyway, take into account that both fallbacks require a secure server,
>> which is not the case for credential based authentication.
>>
>> Javier Palacios
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p22938708.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list