[30822] in Kerberos
Re: Authenticating to LDAP using a HTTP ticket
daemon@ATHENA.MIT.EDU (Mikkel Kruse Johnsen)
Sat Mar 7 04:46:47 2009
From: Mikkel Kruse Johnsen <mikkel@linet.dk>
To: Henrik Hodne <henrik.hodne@gmail.com>
In-Reply-To: <fc641c1a0903070047h4fade047ja0f082a9f300c53e@mail.gmail.com>
Date: Sat, 07 Mar 2009 10:45:54 +0100
Message-Id: <1236419154.3965.5.camel@localhost.localdomain>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi Henrik
Yes, that is possible.
You need to set your LDAP to authenticate using SASL like this:
# SASLsasl-host kerberos.cbs.dksasl-realm CBS.DKsasl-secprop noplain,noanonymous,minssf=112sasl-regexp uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth uid=$1,ou=People,dc=cbs,dc=dk
Now put this in the HTTP config (Note the KrbSaveCredentials)
AuthType Kerberos AuthName "Open Directory Login" KrbAuthRealms CBS.DK Krb5Keytab /etc/httpd/conf/httpd.keytab KrbSaveCredentials on KrbMethodNegotiate on KrbMethodK5Passwd on require valid-user
Now do this in PHP
if (!isset($_SERVER["KRB5CCNAME"])) { return false; } putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);
$ds = @ldap_connect($this->LdapHost); @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) == false) { return false }
Med Venlig Hilsen / Kind Regards
Mikkel KruseJohnsenAdm.Dir.
LinetØrholmgade 6 st tvCopenhagen N 2200Denmark
Work: +45 21287793Mobile: +4521287793Email:mikkel@linet.dkIM:mikkel@linet.dk(MSN) ProfessionalProfileHealthcare
NetworkConsultant
lør, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne:
> Hello,> > I am in the process of creating a web panel to change LDAP attributes. The> web panel is currently using mod_auth_kerb to authenticate, which is working> beautifully. What we need is to authenticate to the LDAP server with that> ticket. Is that even possible?> > -Henrik> ________________________________________________> Kerberos mailing list Kerberos@mit.edu> https://mailman.mit.edu/mailman/listinfo/kerberos________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
