Kerberos cross-realm with AD

Russ Allbery rra at stanford.edu
Tue Feb 8 12:49:36 EST 2011


Brian Candler <B.Candler at pobox.com> writes:
> On Tue, Feb 08, 2011 at 11:34:55PM +1100, Jean-Yves Avenard wrote:

>> It does fall back to basic ; but not to the basic provided by
>> mod_authz_ldap or any other authz_xxx for that matter;

> Ah, I hadn't tried that, and thank you for your explanation. Sounds like
> "KrbAuthoritative off" was intended to work the way you describe, but
> doesn't in practice.

It's very difficult to get Apache auth modules to stack in any sort of
useful fashion.  It doesn't help that Apache server hooks are almost
completely undocumented.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list