Authenticating to LDAP using a HTTP ticket

Henrik Hodne henrik.hodne at gmail.com
Sat Mar 7 07:03:09 EST 2009 

Hello,

I have a few more questions

On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen <mikkel at linet.dk>wrote:

>  Hi Henrik
>
> Yes, that is possible.
>
> You need to set your LDAP to authenticate using SASL like this:
>
> # SASL
> sasl-host       kerberos.cbs.dk
> sasl-realm      CBS.DK
> sasl-secprop    noplain,noanonymous,minssf=112
> sasl-regexp     uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth
>                 uid=$1,ou=People,dc=cbs,dc=dk
>

Where does the SASL stuff go?


>
>
> Now put this in the HTTP config (Note the *KrbSaveCredentials*)
>
>
> AuthType Kerberos
> AuthName "Open Directory Login"
> KrbAuthRealms CBS.DK
> Krb5Keytab /etc/httpd/conf/httpd.keytab
> * KrbSaveCredentials on*
> KrbMethodNegotiate on
> KrbMethodK5Passwd on
> require valid-user
>

This works, but I haven't got any browsers to forward tickets (that's
probably client-side though)


>
> Now do this in PHP
>
> if (!isset($_SERVER["KRB5CCNAME"])) {
> return false;
> }
> putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);
>

I often get an error message telling me $_SERVER['KRB5CCNAME'] doesn't exist
(mostly after the first time I view something, disappears when changing the
file).


>
> $ds = @ldap_connect($this->LdapHost);
> @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
>
> if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) == false) {
>          return false
>    }
>
>
>
>   Med Venlig Hilsen / Kind Regards
>
>
>   *Mikkel Kruse Johnsen*
> Adm.Dir.
>
> *Linet <http://www.linet.dk>*
> Ørholmgade 6 st tv<http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>
> Copenhagen N 2200 Denmark   *Work:* +45 21287793
> *Mobile:* +45 21287793
> *Email:* mikkel at linet.dk
> *IM:* mikkel at linet.dk (MSN)
>  *Professional Profile <http://www.linkedin.com/pub/3/333/803>*
> *Healthcare <http://www.xmedicus.dk>*
>
> Network Consultant
>
> lør, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne:
>
> Hello,
>
> I am in the process of creating a web panel to change LDAP attributes. The
> web panel is currently using mod_auth_kerb to authenticate, which is working
> beautifully. What we need is to authenticate to the LDAP server with that
> ticket. Is that even possible?
>
> -Henrik
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
>
>
-Henrik

More information about the Kerberos mailing list