Kerberos cross-realm with AD

Jean-Yves Avenard jyavenard at gmail.com
Tue Feb 8 07:34:55 EST 2011


Hi

On 8 February 2011 22:17, Brian Candler <B.Candler at pobox.com> wrote:

>    KrbMethodK5Passwd On
>
> will fallback to basic auth, and then check the username/password against
> the KDC.

Not quite.

It does fall back to basic ; but not to the basic provided by
mod_authz_ldap or any other authz_xxx for that matter;
KrbMethodK5Passwd handles it all and as you configured apache with
AuthType kerberos ; none of the remaining mod_auth_xx works because
those expect apache to be in mode AuthType basic. In the flow of
apache module; when mod_auth_kerb isn't authoritative it will only
call other authentication module compatible with the AuthType of the
module on top of the stack : here mod_auth_kerb.

So apache does something like:
mod_auth_kerb -> basic ; got authentication going. Then it tries to
check what other authorisation/authentication modules are available
with AuthType kerberos as apache can not mix authentication type (I
read that the next version of apache would have a work around for
this, but it's been years since they talked about it)

make sense?

What I wanted here is :

use kerberos for authentication ; if authentication works -> authz_ldap
if kerberos failed: continue to auth_ldap -> authz_ldap

This provides far greater flexibility and let me handle both full
kerberos authentication ; or for users with no kerberos at all, it
falls back to plain ldap authentication with the flexibility that
comes with it.

My mods are for apache 2.2 ; mod_auth_ldap was completely rewritten
unfortunately in 2.2 and it is very different with earlier version of
apache which had two distincts ldap modules: one for authentication,
one for authorisation




More information about the Kerberos mailing list