Hi

Ken Dreyer ktdreyer at ktdreyer.com
Mon Jan 28 11:32:50 EST 2013 

On Wed, Jan 16, 2013 at 6:05 AM, Deepak Bhatia <toreachdeepak1 at gmail.com> wrote:
> Hi Ken,
>
> Thanks for your mail.
>
> Yes, we are using Apache as the web server.
>
> Also we are using ldap_bind to authenticate a user from active directory.
>
> Do you think if we replace ldap_bind by mod_authnz_ldap and then use
> modauthkerb, it will solve our problem ?
>
> Regards
>
> Deepak Bhatia


Hi Deepak,

In order to use single-sign-on in a web application like this, you
should extend the web application to have a special "HTTP login" URL.
For example, let's say that currently your web application has a
username/password web form, and that form posts to something like
auth.php. Your auth.php file gets the username and password from
$_POST, and then submits those via the PHP ldap_bind() function.

To add Kerberos support, you'd want to create a parallel
"authentication" URL, say, "auth-http.php". In terms of a GUI, for
your login form page, you can have users click a link that says "sign
in with Kerberos".

You'll use mod_auth_kerb to protect that URL. You don't have to
protect the entire web app, just that single /auth-http.php page. This
will allow you to still support LDAP authentication, or even no
authentication for some parts.

This auth-http.php page should check if the  is set. If it is set,
then you know that Apache successfully authenticated the user, and you
can pass them through to your application, setting the appropriate
session cookies, etc. Depending on your use case, you may want to then
look this user up in LDAP to get more attributes, like a UID, email,
or full name.

If the $_SERVER['REMOTE_USER'] variable is not set, then either the
user did not have proper Kerberos credentials, or the user's browser
is misconfigured. You can even show a custom 401 HTTP error to the
user, indicating that he or she should check their Kerberos ticket and
browser settings.

I'm simplifying a lot, but hopefully you get the idea. It would be a
good idea to look at some existing open source web applications that
already implement this in order to understand it. Fedora's Koji
(Python) and Gitorious (Ruby) are the web apps I know that do this
already. I think Cacti has support for general "HTTP" authentication
as well, but I'm pretty sure that they assume you'll restrict the
entire web app ("/cacti/") with Apache. When you restrict only a
sub-URL (such as "/auth-http.php"), then you have the ability to
support Kerberos without making it a requirement to use your web app
at all.

- Ken

More information about the Kerberos mailing list