[30825] in Kerberos
Re: Authenticating to LDAP using a HTTP ticket
daemon@ATHENA.MIT.EDU (Mikkel Kruse Johnsen)
Sun Mar 8 06:07:14 2009
From: Mikkel Kruse Johnsen <mikkel@linet.dk>
To: Henrik Hodne <henrik.hodne@gmail.com>
In-Reply-To: <fc641c1a0903070403u71159e1flc0efc659bebee5e3@mail.gmail.com>
Date: Sun, 08 Mar 2009 11:06:14 +0100
Message-Id: <1236506774.3955.19.camel@localhost.localdomain>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
> Hello,> > I have a few more questions> > > On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen> <mikkel@linet.dk> wrote:> > Hi Henrik> > Yes, that is possible.> > You need to set your LDAP to authenticate using SASL like> this:> > # SASL> sasl-host kerberos.cbs.dk> sasl-realm CBS.DK> sasl-secprop noplain,noanonymous,minssf=112> sasl-regexp uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth> uid=$1,ou=People,dc=cbs,dc=dk> > Where does the SASL stuff go?
This goes in "/etc/openldap/slapd.conf" assuming you are using OpenLDAP.
> > > > Now put this in the HTTP config (Note the KrbSaveCredentials)> > > AuthType Kerberos> AuthName "Open Directory Login"> KrbAuthRealms CBS.DK> Krb5Keytab /etc/httpd/conf/httpd.keytab> KrbSaveCredentials on> KrbMethodNegotiate on> KrbMethodK5Passwd on> require valid-user> > > This works, but I haven't got any browsers to forward tickets (that's> probably client-side though)>
To get the browsers to forward tickets you need to:
Firefox: Type "about:config" in the Location bar. Type "nego" in thefilter and dobbelt click "network.negotiate-auth.delegation-uris" and"network.negotiate-auth.trusted-uris" and type in your domain name (inmy example I have "cbs.dk" in both)
IE: You need to change a regedit setting like this:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK]"KdcNames"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,2e,00,63,00,\ 62,00,73,00,2e,00,64,00,6b,00,00,00,00,00"RealmFlags"=dword:00000006
(KdcNames is your list of kerberos servers)
(http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/95141.mspx?mfr=true)
RealmFlags tells that it is OK to delegate for the domain "cbs.dk" (offcourse change to your own domain)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains\cbs.dk]"*"=dword:00000001
This sets "cbs.dk" in trusted zone.
I also had a problem getting this to work and it turned out to be aproblem with "mod_auth_kerb" I had to recompile it, using it's internalGSSAPI support and not MIT Kerberos under RHEL5Don't know you setup, If it is not delegating then recompile withinternal GSSAPI support.
Or use these:
http://yum.cbs.dk/rhel-5Server-x86_64/RPMS/mod_auth_kerb-5.3-6.x86_64.rpm http://yum.cbs.dk/rhel-5Server-i386/RPMS/mod_auth_kerb-5.3-6.i386.rpm
I'm off for a week, so hope you can get it to work.
> > Now do this in PHP> > if (!isset($_SERVER["KRB5CCNAME"])) {> return false;> }> putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);> > > I often get an error message telling me $_SERVER['KRB5CCNAME'] doesn't> exist (mostly after the first time I view something, disappears when> changing the file).> >
No sure what you mean.
> > $ds = @ldap_connect($this->LdapHost);> @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);> > if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) ==> false) {> return false> }> > > > Med Venlig Hilsen / Kind Regards> > > Mikkel Kruse> Johnsen> Adm.Dir.> > Linet> Ørholmgade 6 st> tv> Copenhagen N> 2200 Denmark> > Work: +45> 21287793> Mobile: +45> 21287793> Email:> mikkel@linet.dk> IM:> mikkel@linet.dk> (MSN)> Professional> Profile> Healthcare > > > Network> Consultant > > > lør, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne: > > > Hello,> > > > I am in the process of creating a web panel to change LDAP attributes. The> > web panel is currently using mod_auth_kerb to authenticate, which is working> > beautifully. What we need is to authenticate to the LDAP server with that> > ticket. Is that even possible?> > > > -Henrik> > ________________________________________________> > Kerberos mailing list Kerberos@mit.edu> > https://mailman.mit.edu/mailman/listinfo/kerberos> > -Henrik > > > ________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
