Authenticating to LDAP using a HTTP ticket

Richard E. Silverman res at qoxp.net
Sun Mar 8 13:32:40 EDT 2009 

>>>>> "MKJ" == Mikkel Kruse Johnsen <mikkel at linet.dk> writes:

    >> Hello,
    >> 
    >> I have a few more questions
    >> 
    >> 
    >> On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen
    >> <mikkel at linet.dk> wrote:
    >> 
    >> Hi Henrik
    >> 
    >> Yes, that is possible.
    >> 
    >> You need to set your LDAP to authenticate using SASL like this:
    >> 
    >> # SASL sasl-host kerberos.cbs.dk sasl-realm CBS.DK sasl-secprop
    >> noplain,noanonymous,minssf=112 sasl-regexp
    >> uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth uid=$1,ou=People,dc=cbs,dc=dk
    >> 
    >> Where does the SASL stuff go?


    MKJ> This goes in "/etc/openldap/slapd.conf" assuming you are using
    MKJ> OpenLDAP.


    >> 
    >> 
    >> 
    >> Now put this in the HTTP config (Note the KrbSaveCredentials)
    >> 
    >> 
    >> AuthType Kerberos AuthName "Open Directory Login" KrbAuthRealms
    >> CBS.DK Krb5Keytab /etc/httpd/conf/httpd.keytab KrbSaveCredentials
    >> on KrbMethodNegotiate on KrbMethodK5Passwd on require valid-user
    >> 
    >> 
    >> This works, but I haven't got any browsers to forward tickets
    >> (that's probably client-side though)
    >> 


To get the browsers to forward tickets you need to:

    MKJ> Firefox: Type "about:config" in the Location bar. Type "nego" in
    MKJ> the filter and dobbelt click
    MKJ> "network.negotiate-auth.delegation-uris" and
    MKJ> "network.negotiate-auth.trusted-uris" and type in your domain
    MKJ> name (in my example I have "cbs.dk" in both)

    MKJ> IE: You need to change a regedit setting like this:

    MKJ> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
    MKJ> \Domains\CBS.DK]
    MKJ> "KdcNames"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,2e,00,63,00,\
    MKJ> 62,00,73,00,2e,00,64,00,6b,00,00,00,00,00
    MKJ> "RealmFlags"=dword:00000006

    MKJ> (KdcNames is your list of kerberos servers)

    MKJ> (http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/95141.mspx?mfr=true)

    MKJ>  RealmFlags tells that it is OK to delegate for the domain
    MKJ> "cbs.dk" (off course change to your own domain)

This means that Windows will perform delegation for *every* service in the
realm.  This may not be such a good idea.  You only want to hand over your TGT
to trusted services.  For example, if you hand it to a web server that
allows users to run personal CGI's, then you've just allowed everyone to
impersonate you!

Much better to set the OK-AS-DELEGATE flag in the tickets for individual
trusted services, and keep a close watch on their configuration.

Also, there's a performance hit.  Normally the client would only have to
contac the KDC occasionally.  With delegation turned on, it will do a
round trip to the KDC for a delegated TGT *on every authenticated page
fetch*.  Even worse, in my environment anyway, SSPI repeats its query
twice every time, for some reason.

    MKJ> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
    MKJ> Settings\ZoneMap\Domains\cbs.dk] "*"=dword:00000001

    MKJ> This sets "cbs.dk" in trusted zone.

    MKJ> I also had a problem getting this to work and it turned out to be
    MKJ> a problem with "mod_auth_kerb" I had to recompile it, using it's
    MKJ> internal GSSAPI support and not MIT Kerberos under RHEL5 Don't
    MKJ> know you setup, If it is not delegating then recompile with
    MKJ> internal GSSAPI support.

Same here; do use the internal SPNEGO code.

    MKJ> Or use these:

    MKJ> http://yum.cbs.dk/rhel-5Server-x86_64/RPMS/mod_auth_kerb-5.3-6.x86_64.rpm
    MKJ> http://yum.cbs.dk/rhel-5Server-i386/RPMS/mod_auth_kerb-5.3-6.i386.rpm


    MKJ> I'm off for a week, so hope you can get it to work.


    >> 
    >> Now do this in PHP
    >> 
    >> if (!isset($_SERVER["KRB5CCNAME"])) { return false;
    >> }
    >> putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);
    >> 
    >> 
    >> I often get an error message telling me $_SERVER['KRB5CCNAME']
    >> doesn't exist (mostly after the first time I view something,
    >> disappears when changing the file).
    >> 
    >> 

No sure what you mean.


    >> 
    >> $ds = @ldap_connect($this->LdapHost); @ldap_set_option($ds,
    >> LDAP_OPT_PROTOCOL_VERSION, 3);
    >> 
    >> if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) ==
    >> false) { return false
    >> }
    >> 
    >> 
    >> 
    >> Med Venlig Hilsen / Kind Regards
    >> 
    >> 
    >> Mikkel Kruse Johnsen Adm.Dir.
    >> 
    >> Linet Ørholmgade 6 st tv Copenhagen N 2200 Denmark
    >> 
    >> Work: +45 21287793 Mobile: +45 21287793 Email: mikkel at linet.dk IM:
    >> mikkel at linet.dk (MSN) Professional Profile Healthcare
    >> 
    >> 
    >> Network Consultant
    >> 
    >> 
    >> lør, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne:
    >> 
    >> > Hello,
    >> > 
    >> > I am in the process of creating a web panel to change LDAP
    >> attributes. The > web panel is currently using mod_auth_kerb to
    >> authenticate, which is working > beautifully. What we need is to
    >> authenticate to the LDAP server with that > ticket. Is that even
    >> possible?
    >> > 
    >> > -Henrik > ________________________________________________ >
    >> Kerberos mailing list Kerberos at mit.edu >
    >> https://mailman.mit.edu/mailman/listinfo/kerberos
    >> 
    >> -Henrik
    >> 
    >> 
    >> 

-- 
  Richard Silverman
  res at qoxp.net

More information about the Kerberos mailing list