[30823] in Kerberos
Re: Authenticating to LDAP using a HTTP ticket
daemon@ATHENA.MIT.EDU (Henrik Hodne)
Sat Mar 7 07:04:21 2009
MIME-Version: 1.0
In-Reply-To: <1236419154.3965.5.camel@localhost.localdomain>
Date: Sat, 7 Mar 2009 13:03:09 +0100
Message-ID: <fc641c1a0903070403u71159e1flc0efc659bebee5e3@mail.gmail.com>
From: Henrik Hodne <henrik.hodne@gmail.com>
To: Mikkel Kruse Johnsen <mikkel@linet.dk>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello,
I have a few more questions
On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen <mikkel@linet.dk>wrote:
> Hi Henrik
>
> Yes, that is possible.
>
> You need to set your LDAP to authenticate using SASL like this:
>
> # SASL
> sasl-host kerberos.cbs.dk
> sasl-realm CBS.DK
> sasl-secprop noplain,noanonymous,minssf=112
> sasl-regexp uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth
> uid=$1,ou=People,dc=cbs,dc=dk
>
Where does the SASL stuff go?
>
>
> Now put this in the HTTP config (Note the *KrbSaveCredentials*)
>
>
> AuthType Kerberos
> AuthName "Open Directory Login"
> KrbAuthRealms CBS.DK
> Krb5Keytab /etc/httpd/conf/httpd.keytab
> * KrbSaveCredentials on*
> KrbMethodNegotiate on
> KrbMethodK5Passwd on
> require valid-user
>
This works, but I haven't got any browsers to forward tickets (that's
probably client-side though)
>
> Now do this in PHP
>
> if (!isset($_SERVER["KRB5CCNAME"])) {
> return false;
> }
> putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);
>
I often get an error message telling me $_SERVER['KRB5CCNAME'] doesn't exist
(mostly after the first time I view something, disappears when changing the
file).
>
> $ds = @ldap_connect($this->LdapHost);
> @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
>
> if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) == false) {
> return false
> }
>
>
>
> Med Venlig Hilsen / Kind Regards
>
>
> *Mikkel Kruse Johnsen*
> Adm.Dir.
>
> *Linet <http://www.linet.dk>*
> Ørholmgade 6 st tv<http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>
> Copenhagen N 2200 Denmark *Work:* +45 21287793
> *Mobile:* +45 21287793
> *Email:* mikkel@linet.dk
> *IM:* mikkel@linet.dk (MSN)
> *Professional Profile <http://www.linkedin.com/pub/3/333/803>*
> *Healthcare <http://www.xmedicus.dk>*
>
> Network Consultant
>
> lør, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne:
>
> Hello,
>
> I am in the process of creating a web panel to change LDAP attributes. The
> web panel is currently using mod_auth_kerb to authenticate, which is working
> beautifully. What we need is to authenticate to the LDAP server with that
> ticket. Is that even possible?
>
> -Henrik
> ________________________________________________
> Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
>
>
-Henrik
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
