[30829] in Kerberos
Re: Authenticating to LDAP using a HTTP ticket
daemon@ATHENA.MIT.EDU (Richard E. Silverman)
Sun Mar 8 16:35:43 2009
From: "Richard E. Silverman" <res@qoxp.net>
Date: Sun, 08 Mar 2009 13:32:40 -0400
Message-ID: <m2prgrx6mf.fsf@darwin.oankali.net>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
>>>>> "MKJ" == Mikkel Kruse Johnsen <mikkel@linet.dk> writes:
>> Hello, >> >> I have a few more questions >> >> >> On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen >> <mikkel@linet.dk> wrote: >> >> Hi Henrik >> >> Yes, that is possible. >> >> You need to set your LDAP to authenticate using SASL like this: >> >> # SASL sasl-host kerberos.cbs.dk sasl-realm CBS.DK sasl-secprop >> noplain,noanonymous,minssf=112 sasl-regexp >> uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth uid=$1,ou=People,dc=cbs,dc=dk >> >> Where does the SASL stuff go?
MKJ> This goes in "/etc/openldap/slapd.conf" assuming you are using MKJ> OpenLDAP.
>> >> >> >> Now put this in the HTTP config (Note the KrbSaveCredentials) >> >> >> AuthType Kerberos AuthName "Open Directory Login" KrbAuthRealms >> CBS.DK Krb5Keytab /etc/httpd/conf/httpd.keytab KrbSaveCredentials >> on KrbMethodNegotiate on KrbMethodK5Passwd on require valid-user >> >> >> This works, but I haven't got any browsers to forward tickets >> (that's probably client-side though) >>
To get the browsers to forward tickets you need to:
MKJ> Firefox: Type "about:config" in the Location bar. Type "nego" in MKJ> the filter and dobbelt click MKJ> "network.negotiate-auth.delegation-uris" and MKJ> "network.negotiate-auth.trusted-uris" and type in your domain MKJ> name (in my example I have "cbs.dk" in both)
MKJ> IE: You need to change a regedit setting like this:
MKJ> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos MKJ> \Domains\CBS.DK] MKJ> "KdcNames"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,2e,00,63,00,\ MKJ> 62,00,73,00,2e,00,64,00,6b,00,00,00,00,00 MKJ> "RealmFlags"=dword:00000006
MKJ> (KdcNames is your list of kerberos servers)
MKJ> (http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/95141.mspx?mfr=true)
MKJ> RealmFlags tells that it is OK to delegate for the domain MKJ> "cbs.dk" (off course change to your own domain)
This means that Windows will perform delegation for *every* service in therealm. This may not be such a good idea. You only want to hand over your TGTto trusted services. For example, if you hand it to a web server thatallows users to run personal CGI's, then you've just allowed everyone toimpersonate you!
Much better to set the OK-AS-DELEGATE flag in the tickets for individualtrusted services, and keep a close watch on their configuration.
Also, there's a performance hit. Normally the client would only have tocontac the KDC occasionally. With delegation turned on, it will do around trip to the KDC for a delegated TGT *on every authenticated pagefetch*. Even worse, in my environment anyway, SSPI repeats its querytwice every time, for some reason.
MKJ> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet MKJ> Settings\ZoneMap\Domains\cbs.dk] "*"=dword:00000001
MKJ> This sets "cbs.dk" in trusted zone.
MKJ> I also had a problem getting this to work and it turned out to be MKJ> a problem with "mod_auth_kerb" I had to recompile it, using it's MKJ> internal GSSAPI support and not MIT Kerberos under RHEL5 Don't MKJ> know you setup, If it is not delegating then recompile with MKJ> internal GSSAPI support.
Same here; do use the internal SPNEGO code.
MKJ> Or use these:
MKJ> http://yum.cbs.dk/rhel-5Server-x86_64/RPMS/mod_auth_kerb-5.3-6.x86_64.rpm MKJ> http://yum.cbs.dk/rhel-5Server-i386/RPMS/mod_auth_kerb-5.3-6.i386.rpm
MKJ> I'm off for a week, so hope you can get it to work.
>> >> Now do this in PHP >> >> if (!isset($_SERVER["KRB5CCNAME"])) { return false; >> } >> putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']); >> >> >> I often get an error message telling me $_SERVER['KRB5CCNAME'] >> doesn't exist (mostly after the first time I view something, >> disappears when changing the file). >> >>
No sure what you mean.
>> >> $ds = @ldap_connect($this->LdapHost); @ldap_set_option($ds, >> LDAP_OPT_PROTOCOL_VERSION, 3); >> >> if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) == >> false) { return false >> } >> >> >> >> Med Venlig Hilsen / Kind Regards >> >> >> Mikkel Kruse Johnsen Adm.Dir. >> >> Linet Ørholmgade 6 st tv Copenhagen N 2200 Denmark >> >> Work: +45 21287793 Mobile: +45 21287793 Email: mikkel@linet.dk IM: >> mikkel@linet.dk (MSN) Professional Profile Healthcare >> >> >> Network Consultant >> >> >> lør, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne: >> >> > Hello, >> > >> > I am in the process of creating a web panel to change LDAP >> attributes. The > web panel is currently using mod_auth_kerb to >> authenticate, which is working > beautifully. What we need is to >> authenticate to the LDAP server with that > ticket. Is that even >> possible? >> > >> > -Henrik > ________________________________________________ > >> Kerberos mailing list Kerberos@mit.edu > >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> -Henrik >> >> >>
-- Richard Silverman res@qoxp.net
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
