Authenticating to LDAP using a HTTP ticket
michael at stroeder.com
Sat Mar 7 08:21:55 EST 2009
Henrik Hodne wrote:
> On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen <mikkel at linet.dk>wrote:
>> Yes, that is possible.
>> You need to set your LDAP to authenticate using SASL like this:
>> # SASL
>> sasl-host kerberos.cbs.dk
>> sasl-realm CBS.DK
>> sasl-secprop noplain,noanonymous,minssf=112
>> sasl-regexp uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth
> Where does the SASL stuff go?
slapd.conf of OpenLDAP. If you have another LDAP server the config is
different. You don't have to do anything for MS AD.
>> Now put this in the HTTP config (Note the *KrbSaveCredentials*)
>> AuthType Kerberos
>> AuthName "Open Directory Login"
>> KrbAuthRealms CBS.DK
>> Krb5Keytab /etc/httpd/conf/httpd.keytab
>> * KrbSaveCredentials on*
>> KrbMethodNegotiate on
>> KrbMethodK5Passwd on
>> require valid-user
> This works, but I haven't got any browsers to forward tickets (that's
> probably client-side though)
You didn't say anything about your KDC. Is it MS AD?
More information about the Kerberos