[30836] in Kerberos
Re: Authenticating to LDAP using a HTTP ticket
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Mon Mar 9 10:45:39 2009
Message-ID: <49B52B4B.6090801@anl.gov>
Date: Mon, 09 Mar 2009 09:44:27 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Henrik Hodne <henrik.hodne@gmail.com>
In-Reply-To: <1236506774.3955.19.camel@localhost.localdomain>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Mikkel Kruse Johnsen wrote:>> Hello,>>>> I have a few more questions>>[...]> > To get the browsers to forward tickets you need to:> > Firefox: Type "about:config" in the Location bar. Type "nego" in the> filter and dobbelt click "network.negotiate-auth.delegation-uris" and> "network.negotiate-auth.trusted-uris" and type in your domain name (in> my example I have "cbs.dk" in both)> > IE: You need to change a regedit setting like this:> > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos> \Domains\CBS.DK]> "KdcNames"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,2e,00,63,00,\> 62,00,73,00,2e,00,64,00,6b,00,00,00,00,00> "RealmFlags"=dword:00000006> > (KdcNames is your list of kerberos servers)
The above can also be done using the Microsoft ksetup:> C:\>ksetup /ListRealmFlags> > Ksetup knows the following realm flags:> 0x00 None No Realm Flags> 0x01 SendAddress Include IP numbers within tickets.> Useful for solving SOME compatibility issues.> 0x02 TcpSupported Indicates that this realm supports TCP.> (as opposed to just UDP)> 0x04 Delegate Everyone in this realm is trusted for delegation> 0x08 NcSupported This realm supports Name Canonicalization
But this then says IE and any SSPI applications that use Kerberos cantrust also delegate. This might not be what you want.Microsoft checks the OK-AS-DELEGATE Kerberos ticket flag, that its KDCwill set for trusted servers. This is an advisory to the client to onlydelegate to servers trusted for delegation by the domain admins.Other versions of Kerberos are starting to add this feature to theKDC and to the clients. So this whole area in in transition.
> > (http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/95141.mspx?mfr=true)> > RealmFlags tells that it is OK to delegate for the domain "cbs.dk" (off> course change to your own domain)> > > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet> Settings\ZoneMap\Domains\cbs.dk]> "*"=dword:00000001> > This sets "cbs.dk" in trusted zone.> > > > I also had a problem getting this to work and it turned out to be a> problem with "mod_auth_kerb" I had to recompile it, using it's internal> GSSAPI support and not MIT Kerberos under RHEL5> Don't know you setup, If it is not delegating then recompile with> internal GSSAPI support.> > Or use these:> > http://yum.cbs.dk/rhel-5Server-x86_64/RPMS/mod_auth_kerb-5.3-6.x86_64.rpm > http://yum.cbs.dk/rhel-5Server-i386/RPMS/mod_auth_kerb-5.3-6.i386.rpm> > > I'm off for a week, so hope you can get it to work.> > >> >> Now do this in PHP>> >> if (!isset($_SERVER["KRB5CCNAME"])) {>> return false;>> }>> putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);>> >>>> I often get an error message telling me $_SERVER['KRB5CCNAME'] doesn't>> exist (mostly after the first time I view something, disappears when>> changing the file).>> >>> > No sure what you mean.> > >> >> $ds = @ldap_connect($this->LdapHost);>> @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);>> >> if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) ==>> false) {>> return false>> }>> >> >> >> Med Venlig Hilsen / Kind Regards>> >> >> Mikkel Kruse>> Johnsen>> Adm.Dir.>> >> Linet>> Ørholmgade 6 st>> tv>> Copenhagen N>> 2200 Denmark>> >> Work: +45>> 21287793>> Mobile: +45>> 21287793>> Email:>> mikkel@linet.dk>> IM:>> mikkel@linet.dk>> (MSN)>> Professional>> Profile>> Healthcare >> >> >> Network>> Consultant >> >> >> lør, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne: >> >> > Hello,>> > >> > I am in the process of creating a web panel to change LDAP attributes. The>> > web panel is currently using mod_auth_kerb to authenticate, which is working>> > beautifully. What we need is to authenticate to the LDAP server with that>> > ticket. Is that even possible?>> > >> > -Henrik>> > ________________________________________________>> > Kerberos mailing list Kerberos@mit.edu>> > https://mailman.mit.edu/mailman/listinfo/kerberos>>>> -Henrik >>>>>>> ________________________________________________> Kerberos mailing list Kerberos@mit.edu> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
