Kerberos cross-realm with AD

Brian Candler B.Candler at pobox.com
Tue Feb 8 06:17:17 EST 2011


On Tue, Feb 08, 2011 at 10:04:14PM +1100, Jean-Yves Avenard wrote:
> On 8 February 2011 21:02, Brian Candler <B.Candler at pobox.com> wrote:
> > You have a solution for mapping kerberos identity to system username via
> > ldap? If so I'd be very interested to see it.
> 
> Yes, for apache..

Oh I see. Yes, mod_authnz_ldap (apache 2.2) should do the trick; the only
problem I found with it was that I couldn't use kerberos to
authenticate/encrypt the webserver-to-LDAP communication.  I never got round
to patching that.

> I then patched mod_auth_kerberos so it could be used for both kerberos
> authentication and if not working default to basic authtype

apache 2.2 has that already:

    KrbMethodK5Passwd On

will fallback to basic auth, and then check the username/password against
the KDC.

Were your mods for Apache <=2.0 ?

Regards,

Brian.



More information about the Kerberos mailing list