Authenticating to LDAP using a HTTP ticket

Mikkel Kruse Johnsen mikkel at linet.dk
Sun Mar 8 06:06:14 EDT 2009


> Hello,
> 
> I have a few more questions
> 
> 
> On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen
> <mikkel at linet.dk> wrote:
> 
>         Hi Henrik
>         
>         Yes, that is possible.
>         
>         You need to set your LDAP to authenticate using SASL like
>         this:
>         
>         # SASL
>         sasl-host       kerberos.cbs.dk
>         sasl-realm      CBS.DK
>         sasl-secprop    noplain,noanonymous,minssf=112
>         sasl-regexp     uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth
>                         uid=$1,ou=People,dc=cbs,dc=dk
>  
> Where does the SASL stuff go?


This goes in "/etc/openldap/slapd.conf" assuming you are using OpenLDAP.


>  
>         
>         
>         Now put this in the HTTP config (Note the KrbSaveCredentials)
>         
>         
>         AuthType Kerberos
>         AuthName "Open Directory Login"
>         KrbAuthRealms CBS.DK
>         Krb5Keytab /etc/httpd/conf/httpd.keytab
>         KrbSaveCredentials on
>         KrbMethodNegotiate on
>         KrbMethodK5Passwd on
>         require valid-user
>         
> 
> This works, but I haven't got any browsers to forward tickets (that's
> probably client-side though)
>  


To get the browsers to forward tickets you need to:

Firefox: Type "about:config" in the Location bar. Type "nego" in the
filter and dobbelt click "network.negotiate-auth.delegation-uris" and
"network.negotiate-auth.trusted-uris" and type in your domain name (in
my example I have "cbs.dk" in both)

IE: You need to change a regedit setting like this:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
\Domains\CBS.DK]
"KdcNames"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,2e,00,63,00,\
  62,00,73,00,2e,00,64,00,6b,00,00,00,00,00
"RealmFlags"=dword:00000006

(KdcNames is your list of kerberos servers)

(http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/95141.mspx?mfr=true)

 RealmFlags tells that it is OK to delegate for the domain "cbs.dk" (off
course change to your own domain)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\cbs.dk]
"*"=dword:00000001

This sets "cbs.dk" in trusted zone.



I also had a problem getting this to work and it turned out to be a
problem with "mod_auth_kerb" I had to recompile it, using it's internal
GSSAPI support and not MIT Kerberos under RHEL5
Don't know you setup, If it is not delegating then recompile with
internal GSSAPI support.

Or use these:

http://yum.cbs.dk/rhel-5Server-x86_64/RPMS/mod_auth_kerb-5.3-6.x86_64.rpm 
http://yum.cbs.dk/rhel-5Server-i386/RPMS/mod_auth_kerb-5.3-6.i386.rpm


I'm off for a week, so hope you can get it to work.


>         
>         Now do this in PHP
>         
>         if (!isset($_SERVER["KRB5CCNAME"])) {
>         return false;
>         }
>         putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);
>         
> 
> I often get an error message telling me $_SERVER['KRB5CCNAME'] doesn't
> exist (mostly after the first time I view something, disappears when
> changing the file).
>  
> 

No sure what you mean.


>         
>         $ds = @ldap_connect($this->LdapHost);
>         @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
>         
>         if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) ==
>         false) {
>                  return false
>            }
>         
>         
>         
>         Med Venlig Hilsen / Kind Regards
>         
>         
>         Mikkel Kruse
>         Johnsen
>         Adm.Dir.
>         
>         Linet
>         Ørholmgade 6 st
>         tv
>         Copenhagen N
>         2200 Denmark
>         
>         Work: +45
>         21287793
>         Mobile: +45
>         21287793
>         Email:
>         mikkel at linet.dk
>         IM:
>         mikkel at linet.dk
>         (MSN)
>          Professional
>         Profile
>         Healthcare 
>         
>         
>         Network
>         Consultant 
>         
>         
>         lør, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne: 
>         
>         > Hello,
>         > 
>         > I am in the process of creating a web panel to change LDAP attributes. The
>         > web panel is currently using mod_auth_kerb to authenticate, which is working
>         > beautifully. What we need is to authenticate to the LDAP server with that
>         > ticket. Is that even possible?
>         > 
>         > -Henrik
>         > ________________________________________________
>         > Kerberos mailing list           Kerberos at mit.edu
>         > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> -Henrik 
> 
> 
> 



More information about the Kerberos mailing list