Kerberos cross-realm with AD
Jean-Yves Avenard
jyavenard at gmail.com
Tue Feb 8 07:34:55 EST 2011
Hi
On 8 February 2011 22:17, Brian Candler <B.Candler at pobox.com> wrote:
> KrbMethodK5Passwd On
>
> will fallback to basic auth, and then check the username/password against
> the KDC.
Not quite.
It does fall back to basic ; but not to the basic provided by
mod_authz_ldap or any other authz_xxx for that matter;
KrbMethodK5Passwd handles it all and as you configured apache with
AuthType kerberos ; none of the remaining mod_auth_xx works because
those expect apache to be in mode AuthType basic. In the flow of
apache module; when mod_auth_kerb isn't authoritative it will only
call other authentication module compatible with the AuthType of the
module on top of the stack : here mod_auth_kerb.
So apache does something like:
mod_auth_kerb -> basic ; got authentication going. Then it tries to
check what other authorisation/authentication modules are available
with AuthType kerberos as apache can not mix authentication type (I
read that the next version of apache would have a work around for
this, but it's been years since they talked about it)
make sense?
What I wanted here is :
use kerberos for authentication ; if authentication works -> authz_ldap
if kerberos failed: continue to auth_ldap -> authz_ldap
This provides far greater flexibility and let me handle both full
kerberos authentication ; or for users with no kerberos at all, it
falls back to plain ldap authentication with the flexibility that
comes with it.
My mods are for apache 2.2 ; mod_auth_ldap was completely rewritten
unfortunately in 2.2 and it is very different with earlier version of
apache which had two distincts ldap modules: one for authentication,
one for authorisation
More information about the Kerberos
mailing list