Authenticating to LDAP using a HTTP ticket
Mikkel Kruse Johnsen
mikkel at linet.dk
Sat Mar 7 04:45:54 EST 2009
Hi Henrik
Yes, that is possible.
You need to set your LDAP to authenticate using SASL like this:
# SASL
sasl-host kerberos.cbs.dk
sasl-realm CBS.DK
sasl-secprop noplain,noanonymous,minssf=112
sasl-regexp uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth
uid=$1,ou=People,dc=cbs,dc=dk
Now put this in the HTTP config (Note the KrbSaveCredentials)
AuthType Kerberos
AuthName "Open Directory Login"
KrbAuthRealms CBS.DK
Krb5Keytab /etc/httpd/conf/httpd.keytab
KrbSaveCredentials on
KrbMethodNegotiate on
KrbMethodK5Passwd on
require valid-user
Now do this in PHP
if (!isset($_SERVER["KRB5CCNAME"])) {
return false;
}
putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);
$ds = @ldap_connect($this->LdapHost);
@ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) == false) {
return false
}
Med Venlig Hilsen / Kind Regards
Mikkel Kruse
Johnsen
Adm.Dir.
Linet
Ørholmgade 6 st tv
Copenhagen N 2200
Denmark
Work: +45 21287793
Mobile: +45
21287793
Email:
mikkel at linet.dk
IM:
mikkel at linet.dk
(MSN)
Professional
Profile
Healthcare
Network
Consultant
lør, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne:
> Hello,
>
> I am in the process of creating a web panel to change LDAP attributes. The
> web panel is currently using mod_auth_kerb to authenticate, which is working
> beautifully. What we need is to authenticate to the LDAP server with that
> ticket. Is that even possible?
>
> -Henrik
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list