[30959] in Kerberos
Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be???
daemon@ATHENA.MIT.EDU (kerbie_newbie)
Tue Apr 7 08:24:25 2009
Message-ID: <22914739.post@talk.nabble.com>
Date: Mon, 6 Apr 2009 11:47:59 -0700 (PDT)
From: kerbie_newbie <zarafield@sky.com>
To: kerberos@mit.edu
MIME-Version: 1.0
X-Nabble-From: zarafield@sky.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I'm pretty new to this so please excuse any confusion that creeps in ...
I'm hosting a perl based web service on a Linux/Apache box that is accessed
by Windows workstations. I have Kerberos 5 (MIT) wrapping a particular perl
cgi script and all works fine for users who have an Active Directory
account.
I have recently come across a user who, for some reason, had an expired TGT
ticket on his PC. I'm not sure how this happens as it looks to me like every
time you logon/logoff or lock/unlock your Windows PC, your tickets are
managed for you so you always have a valid TGT. As he is on a business PC,
I'm not sure how this happens ... anyways.
What I have been told is that all other systems in the business (that are
all hosted on Windows based servers) will automatically fail over to some
forms based or ldap authentication/ADAM if the initial Kerberos
authentication fails. I have been asked to do the same and provide a means
for non-AD and expired AD/TGT holder users to authenticate against ADAM.
As far as I can tell, when using mod_auth_kerb and selecting kerberos as the
authtype it is pretty much Kerberos or nothing ... is this correct? I can
see no way to intercept the failure.
I think what would be needed is to combine the modules so that Kerberos is
tried first and then maybe something like mod_auth_ldap. I have googled this
to death and cannot see a standard way of doing it (and I'm not touching the
internal Kerberos module code as suggested on one site!!).
I have been told I *must* get this working.
What can I do or is there a 'simple' explanation I can give as to why I
cannot do it.
Thanks in advance,
kerbie_newbie
--
View this message in context: http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p22914739.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
