Kerberos cross-realm with AD
Brian Candler
B.Candler at pobox.com
Tue Feb 8 06:17:17 EST 2011
On Tue, Feb 08, 2011 at 10:04:14PM +1100, Jean-Yves Avenard wrote:
> On 8 February 2011 21:02, Brian Candler <B.Candler at pobox.com> wrote:
> > You have a solution for mapping kerberos identity to system username via
> > ldap? If so I'd be very interested to see it.
>
> Yes, for apache..
Oh I see. Yes, mod_authnz_ldap (apache 2.2) should do the trick; the only
problem I found with it was that I couldn't use kerberos to
authenticate/encrypt the webserver-to-LDAP communication. I never got round
to patching that.
> I then patched mod_auth_kerberos so it could be used for both kerberos
> authentication and if not working default to basic authtype
apache 2.2 has that already:
KrbMethodK5Passwd On
will fallback to basic auth, and then check the username/password against
the KDC.
Were your mods for Apache <=2.0 ?
Regards,
Brian.
More information about the Kerberos
mailing list