[33196] in Kerberos
Re: Kerberos cross-realm with AD
daemon@ATHENA.MIT.EDU (Brian Candler)
Tue Feb 8 06:17:34 2011
Date: Tue, 8 Feb 2011 11:17:17 +0000
From: Brian Candler <B.Candler@pobox.com>
To: Jean-Yves Avenard <jyavenard@gmail.com>
Message-ID: <20110208111717.GA4827@talktalkplc.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <AANLkTim4Huuy6izh6MU4xkyx24PGRaL3z1qRpoEOEug_@mail.gmail.com>
Cc: kerberos@mit.edu, "Douglas E. Engert" <deengert@anl.gov>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Feb 08, 2011 at 10:04:14PM +1100, Jean-Yves Avenard wrote:
> On 8 February 2011 21:02, Brian Candler <B.Candler@pobox.com> wrote:
> > You have a solution for mapping kerberos identity to system username via
> > ldap? If so I'd be very interested to see it.
>
> Yes, for apache..
Oh I see. Yes, mod_authnz_ldap (apache 2.2) should do the trick; the only
problem I found with it was that I couldn't use kerberos to
authenticate/encrypt the webserver-to-LDAP communication. I never got round
to patching that.
> I then patched mod_auth_kerberos so it could be used for both kerberos
> authentication and if not working default to basic authtype
apache 2.2 has that already:
KrbMethodK5Passwd On
will fallback to basic auth, and then check the username/password against
the KDC.
Were your mods for Apache <=2.0 ?
Regards,
Brian.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
