Hi

[Deepak Bhatia]

Thanks a lot Ken, I will get back to you soon after analyzing your detailed
mail below.

On Mon, Jan 28, 2013 at 10:02 PM, Ken Dreyer <ktdreyer at ktdreyer.com> wrote:

> On Wed, Jan 16, 2013 at 6:05 AM, Deepak Bhatia <toreachdeepak1 at gmail.com>
> wrote:
> > Hi Ken,
> >
> > Thanks for your mail.
> >
> > Yes, we are using Apache as the web server.
> >
> > Also we are using ldap_bind to authenticate a user from active directory.
> >
> > Do you think if we replace ldap_bind by mod_authnz_ldap and then use
> > modauthkerb, it will solve our problem ?
> >
> > Regards
> >
> > Deepak Bhatia
>
>
> Hi Deepak,
>
> In order to use single-sign-on in a web application like this, you
> should extend the web application to have a special "HTTP login" URL.
> For example, let's say that currently your web application has a
> username/password web form, and that form posts to something like
> auth.php. Your auth.php file gets the username and password from
> $_POST, and then submits those via the PHP ldap_bind() function.
>
> To add Kerberos support, you'd want to create a parallel
> "authentication" URL, say, "auth-http.php". In terms of a GUI, for
> your login form page, you can have users click a link that says "sign
> in with Kerberos".
>
> You'll use mod_auth_kerb to protect that URL. You don't have to
> protect the entire web app, just that single /auth-http.php page. This
> will allow you to still support LDAP authentication, or even no
> authentication for some parts.
>
> This auth-http.php page should check if the  is set. If it is set,
> then you know that Apache successfully authenticated the user, and you
> can pass them through to your application, setting the appropriate
> session cookies, etc. Depending on your use case, you may want to then
> look this user up in LDAP to get more attributes, like a UID, email,
> or full name.
>
> If the $_SERVER['REMOTE_USER'] variable is not set, then either the
> user did not have proper Kerberos credentials, or the user's browser
> is misconfigured. You can even show a custom 401 HTTP error to the
> user, indicating that he or she should check their Kerberos ticket and
> browser settings.
>
> I'm simplifying a lot, but hopefully you get the idea. It would be a
> good idea to look at some existing open source web applications that
> already implement this in order to understand it. Fedora's Koji
> (Python) and Gitorious (Ruby) are the web apps I know that do this
> already. I think Cacti has support for general "HTTP" authentication
> as well, but I'm pretty sure that they assume you'll restrict the
> entire web app ("/cacti/") with Apache. When you restrict only a
> sub-URL (such as "/auth-http.php"), then you have the ability to
> support Kerberos without making it a requirement to use your web app
> at all.
>
> - Ken
>