[30828] in Kerberos
Re: Authenticating to LDAP using a HTTP ticket
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Sun Mar 8 16:35:30 2009
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
Date: Sat, 07 Mar 2009 14:21:55 +0100
Message-ID: <j09a86-6o5.ln1@nb2.stroeder.com>
Mime-Version: 1.0
X-Complaints-To: usenet-abuse@t-online.de
In-Reply-To: <mailman.68.1236427433.14058.kerberos@mit.edu>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Henrik Hodne wrote:
> On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen <mikkel@linet.dk>wrote:
>
>> Yes, that is possible.
>>
>> You need to set your LDAP to authenticate using SASL like this:
>>
>> # SASL
>> sasl-host kerberos.cbs.dk
>> sasl-realm CBS.DK
>> sasl-secprop noplain,noanonymous,minssf=112
>> sasl-regexp uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth
>> uid=$1,ou=People,dc=cbs,dc=dk
>
> Where does the SASL stuff go?
slapd.conf of OpenLDAP. If you have another LDAP server the config is
different. You don't have to do anything for MS AD.
>> Now put this in the HTTP config (Note the *KrbSaveCredentials*)
>>
>> AuthType Kerberos
>> AuthName "Open Directory Login"
>> KrbAuthRealms CBS.DK
>> Krb5Keytab /etc/httpd/conf/httpd.keytab
>> * KrbSaveCredentials on*
>> KrbMethodNegotiate on
>> KrbMethodK5Passwd on
>> require valid-user
>
> This works, but I haven't got any browsers to forward tickets (that's
> probably client-side though)
You didn't say anything about your KDC. Is it MS AD?
Ciao, Michael.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
