noob question on where to start with Kerberos

Edward Murrell edward at murrell.co.nz
Sat Aug 1 00:29:29 EDT 2009


Hi Bryan,

The code is fairly tightly integrated with the Apache kerberos handler,
so probably won't work for you. I intend to put it up on sourceforge at
some point (lack of arounds to it, not withstanding). At that point it
should be available to all. 

On Mon, 2009-07-27 at 16:08 -0700, Bryan Boone wrote:
> Hi Edward thanks for the reply.  Unfortunatly due to certain
> restrictions at this company I cannot use the apache mod.  Also I
> meant the LDAP group, sorry about the wrong use of
> terminology.  However the sample code you have would be very helpful
> for me to learn from if you don't mind.
> 
> 
> 
> 
> 
>   
> 
> 
> > Subject: Re: noob question on where to start with Kerberos
> > From: edward at murrell.co.nz
> > To: kerberos at mit.edu
> > Date: Tue, 28 Jul 2009 10:44:59 +1200
> > 
> > For Apache:
> > http://modauthkerb.sourceforge.net/
> > 
> > Should do everything you want already.
> > 
> > Also, since group information is not stored on a Kerberos server, I
> > assume you're going to be looking up LDAP information. I have some
> code
> > that simplifies this somewhat, if you are using RFC 2307 (posix/NIS)
> > compliant LDAP schemas. Other people have already written (and to be
> > fair, support much better) php libraries for handling active
> directory
> > LDAP lookups.
> > 
> > Cheers,
> > Edward Murrell
> > 
> > On Mon, 2009-07-27 at 15:07 -0700, Bryan Boone wrote:
> > > Hi everyone I have a noob question for ya.
> > > 
> > > 
> > > 
> > > I need to develop a website for a company that uses kerberos
> login, the web server resides on a different
> > > server than the kerberos server. Unfortunatly I cannot use the
> built in PHP functions for kerberos, so
> > > I need to write my own C kerberos client as a PHP extension. Also
> to eliminate possible man-in-the-middle
> > > attacks, I need to have the keytab file manually uploaded to the
> web server.
> > > 
> > > 
> > > 
> > > So this web page will simply authenticate the users username and
> password and then pull that users group name
> > > from the kerberos server (while having the keytab on the web
> server). There is no need to kerberize any
> > > application here. Also I will not be needing to cache tickets or
> pass any tickets here. I will use
> > > PHP sessions for the website. I just need the authentication side
> of kerberos once per user login on the website.
> > > 
> > > 
> > > 
> > > I read the O'Reilly Kerberos book and still have some questions.
> > > 
> > > 
> > > 
> > > My question is, what methods are best for accomplishing my task.
> Can this be accomplished with the
> > > pam_krb5 api, the SASL for GSSAPI, or do I need to stick with
> native GSSAPI? Which one would be
> > > easier for a noob?
> > > 
> > > 
> > > 
> > > thanks
> > > 
> > > _________________________________________________________________
> > > Windows Live™ SkyDrive™: Store, access, and share your photos. See
> how.
> > >
> http://windowslive.com/Online/SkyDrive?ocid=TXT_TAGLM_WL_CS_SD_photos_072009
> > > ________________________________________________
> > > Kerberos mailing list Kerberos at mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 
> 
> ______________________________________________________________________
> Windows Live™ Hotmail®: Search, add, and share the web’s latest sports
> videos. Check it out.




More information about the Kerberos mailing list