[27902] in Kerberos
Re: Kerberos for authentication, php for authorization
daemon@ATHENA.MIT.EDU (Michael B Allen)
Fri Jun 8 12:45:17 2007
Date: Fri, 8 Jun 2007 12:34:19 -0400
From: Michael B Allen <mba2000@ioplex.com>
To: kerberos@mit.edu
Message-Id: <20070608123419.c129fba1.mba2000@ioplex.com>
In-Reply-To: <E1A052C6-4FA1-45F3-B901-54FACE7409BB@sxw.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 8 Jun 2007 09:00:09 +0100
Simon Wilkinson <simon@sxw.org.uk> wrote:
> Ultimately, this means you may need to have a keytab containing
> multiple different prinicpals for your service, and have
> mod_auth_kerb accept any one of these principals. Unfortunately, the
> code isn't there to do that in current mod_auth_kerb's.
This seems odd to me. The krb5 lib should automatically seek out the
right key by searching for the desired principal, enctype and kvno.
I have tested this. The setup script for our product will generate a
keytab with an entry for each SPN mapped to the Windows account. Then
you can use any one of those hostnames and it works equally well.
What is it that mod_auth_kerb is doing differently?
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
