Authenticating to LDAP using a HTTP ticket

Michael Ströder michael at
Sat Mar 7 08:21:55 EST 2009

Henrik Hodne wrote:
> On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen <mikkel at>wrote:
>> Yes, that is possible.
>> You need to set your LDAP to authenticate using SASL like this:
>> # SASL
>> sasl-host
>> sasl-realm      CBS.DK
>> sasl-secprop    noplain,noanonymous,minssf=112
>> sasl-regexp     uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth
>>                 uid=$1,ou=People,dc=cbs,dc=dk
> Where does the SASL stuff go?

slapd.conf of OpenLDAP. If you have another LDAP server the config is
different. You don't have to do anything for MS AD.

>> Now put this in the HTTP config (Note the *KrbSaveCredentials*)
>> AuthType Kerberos
>> AuthName "Open Directory Login"
>> KrbAuthRealms CBS.DK
>> Krb5Keytab /etc/httpd/conf/httpd.keytab
>> * KrbSaveCredentials on*
>> KrbMethodNegotiate on
>> KrbMethodK5Passwd on
>> require valid-user
> This works, but I haven't got any browsers to forward tickets (that's
> probably client-side though)

You didn't say anything about your KDC. Is it MS AD?

Ciao, Michael.

More information about the Kerberos mailing list