[33197] in Kerberos
Re: Kerberos cross-realm with AD
daemon@ATHENA.MIT.EDU (Jean-Yves Avenard)
Tue Feb 8 07:35:13 2011
MIME-Version: 1.0
In-Reply-To: <20110208111717.GA4827@talktalkplc.com>
Date: Tue, 8 Feb 2011 23:34:55 +1100
Message-ID: <AANLkTim1rM8e+jS77CTt7XGdKDHSWbjstVVux2P=JNXU@mail.gmail.com>
From: Jean-Yves Avenard <jyavenard@gmail.com>
To: Brian Candler <B.Candler@pobox.com>
Cc: kerberos@mit.edu, "Douglas E. Engert" <deengert@anl.gov>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi
On 8 February 2011 22:17, Brian Candler <B.Candler@pobox.com> wrote:
> KrbMethodK5Passwd On
>
> will fallback to basic auth, and then check the username/password against
> the KDC.
Not quite.
It does fall back to basic ; but not to the basic provided by
mod_authz_ldap or any other authz_xxx for that matter;
KrbMethodK5Passwd handles it all and as you configured apache with
AuthType kerberos ; none of the remaining mod_auth_xx works because
those expect apache to be in mode AuthType basic. In the flow of
apache module; when mod_auth_kerb isn't authoritative it will only
call other authentication module compatible with the AuthType of the
module on top of the stack : here mod_auth_kerb.
So apache does something like:
mod_auth_kerb -> basic ; got authentication going. Then it tries to
check what other authorisation/authentication modules are available
with AuthType kerberos as apache can not mix authentication type (I
read that the next version of apache would have a work around for
this, but it's been years since they talked about it)
make sense?
What I wanted here is :
use kerberos for authentication ; if authentication works -> authz_ldap
if kerberos failed: continue to auth_ldap -> authz_ldap
This provides far greater flexibility and let me handle both full
kerberos authentication ; or for users with no kerberos at all, it
falls back to plain ldap authentication with the flexibility that
comes with it.
My mods are for apache 2.2 ; mod_auth_ldap was completely rewritten
unfortunately in 2.2 and it is very different with earlier version of
apache which had two distincts ldap modules: one for authentication,
one for authorisation
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
