[30967] in Kerberos
Re: Linux/Apache - combine mod_auth_kerb and ldap - to be or not to
daemon@ATHENA.MIT.EDU (Javier Palacios)
Tue Apr 7 15:31:35 2009
MIME-Version: 1.0
In-Reply-To: <1239119426.5453.8.camel@mentor.gurulabs.com>
Date: Tue, 7 Apr 2009 21:30:25 +0200
Message-ID: <a64bf030904071230n2cd73a9pb524cd56203c17c@mail.gmail.com>
From: Javier Palacios <javiplx@gmail.com>
To: Dax Kelson <dkelson@gurulabs.com>
Cc: kerberos@mit.edu, kerbie_newbie <zarafield@sky.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Apr 7, 2009 at 5:50 PM, Dax Kelson <dkelson@gurulabs.com> wrote:
> On Mon, 2009-04-06 at 11:47 -0700, kerbie_newbie wrote:
>
>> As far as I can tell, when using mod_auth_kerb and selecting kerberos as the
>> authtype it is pretty much Kerberos or nothing ... is this correct? I can
>> see no way to intercept the failure.
>
> This not correct. What you want are these two directives:
>
> KrbMethodNegotiate On
> KrbMethodK5Passwd On
If I remember right, there is a directive called something like authoritative.
I did never use it but it is used to pass authentication to other
modules (again, if I remember well).
That is exactly what you need so instead of enabling password
authentication, you need to stack the ldap authentication also, and
let proceed if negotiate fails.
Anyway, take into account that both fallbacks require a secure server,
which is not the case for credential based authentication.
Javier Palacios
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
