Authenticating to LDAP using a HTTP ticket

Douglas E. Engert deengert at anl.gov
Mon Mar 9 10:44:27 EDT 2009 


Mikkel Kruse Johnsen wrote:
>> Hello,
>>
>> I have a few more questions
>>
[...]
> 
> To get the browsers to forward tickets you need to:
> 
> Firefox: Type "about:config" in the Location bar. Type "nego" in the
> filter and dobbelt click "network.negotiate-auth.delegation-uris" and
> "network.negotiate-auth.trusted-uris" and type in your domain name (in
> my example I have "cbs.dk" in both)
> 
> IE: You need to change a regedit setting like this:
> 
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
> \Domains\CBS.DK]
> "KdcNames"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,2e,00,63,00,\
>   62,00,73,00,2e,00,64,00,6b,00,00,00,00,00
> "RealmFlags"=dword:00000006
> 
> (KdcNames is your list of kerberos servers)

The above can also be done using the Microsoft ksetup:
> C:\>ksetup /ListRealmFlags
> 
> Ksetup knows the following realm flags:
> 0x00 None         No Realm Flags
> 0x01 SendAddress  Include IP numbers within tickets.
>                   Useful for solving SOME compatibility issues.
> 0x02 TcpSupported Indicates that this realm supports TCP.
>                   (as opposed to just UDP)
> 0x04 Delegate     Everyone in this realm is trusted for delegation
> 0x08 NcSupported  This realm supports Name Canonicalization

But this then says IE and any SSPI applications that use Kerberos can
trust also delegate. This might not be what you want.
Microsoft checks the OK-AS-DELEGATE Kerberos ticket flag, that its KDC
will set for trusted servers. This is an advisory to the client to only
delegate to servers trusted for delegation by the domain admins.
Other versions of Kerberos are starting to add this feature to the
KDC and to the clients. So this whole area in in transition.

> 
> (http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/95141.mspx?mfr=true)
> 
>  RealmFlags tells that it is OK to delegate for the domain "cbs.dk" (off
> course change to your own domain)
> 
> 
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
> Settings\ZoneMap\Domains\cbs.dk]
> "*"=dword:00000001
> 
> This sets "cbs.dk" in trusted zone.
> 
> 
> 
> I also had a problem getting this to work and it turned out to be a
> problem with "mod_auth_kerb" I had to recompile it, using it's internal
> GSSAPI support and not MIT Kerberos under RHEL5
> Don't know you setup, If it is not delegating then recompile with
> internal GSSAPI support.
> 
> Or use these:
> 
> http://yum.cbs.dk/rhel-5Server-x86_64/RPMS/mod_auth_kerb-5.3-6.x86_64.rpm 
> http://yum.cbs.dk/rhel-5Server-i386/RPMS/mod_auth_kerb-5.3-6.i386.rpm
> 
> 
> I'm off for a week, so hope you can get it to work.
> 
> 
>>         
>>         Now do this in PHP
>>         
>>         if (!isset($_SERVER["KRB5CCNAME"])) {
>>         return false;
>>         }
>>         putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);
>>         
>>
>> I often get an error message telling me $_SERVER['KRB5CCNAME'] doesn't
>> exist (mostly after the first time I view something, disappears when
>> changing the file).
>>  
>>
> 
> No sure what you mean.
> 
> 
>>         
>>         $ds = @ldap_connect($this->LdapHost);
>>         @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
>>         
>>         if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) ==
>>         false) {
>>                  return false
>>            }
>>         
>>         
>>         
>>         Med Venlig Hilsen / Kind Regards
>>         
>>         
>>         Mikkel Kruse
>>         Johnsen
>>         Adm.Dir.
>>         
>>         Linet
>>         Ørholmgade 6 st
>>         tv
>>         Copenhagen N
>>         2200 Denmark
>>         
>>         Work: +45
>>         21287793
>>         Mobile: +45
>>         21287793
>>         Email:
>>         mikkel at linet.dk
>>         IM:
>>         mikkel at linet.dk
>>         (MSN)
>>          Professional
>>         Profile
>>         Healthcare 
>>         
>>         
>>         Network
>>         Consultant 
>>         
>>         
>>         lør, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne: 
>>         
>>         > Hello,
>>         > 
>>         > I am in the process of creating a web panel to change LDAP attributes. The
>>         > web panel is currently using mod_auth_kerb to authenticate, which is working
>>         > beautifully. What we need is to authenticate to the LDAP server with that
>>         > ticket. Is that even possible?
>>         > 
>>         > -Henrik
>>         > ________________________________________________
>>         > Kerberos mailing list           Kerberos at mit.edu
>>         > https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>> -Henrik 
>>
>>
>>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list