[31326] in Kerberos
Re: noob question on where to start with Kerberos
daemon@ATHENA.MIT.EDU (Edward Murrell)
Mon Jul 27 18:45:27 2009
From: Edward Murrell <edward@murrell.co.nz>
To: kerberos@mit.edu
In-Reply-To: <COL112-W147CEE3E9AF9487739CEB7E7140@phx.gbl>
Date: Tue, 28 Jul 2009 10:44:59 +1200
Message-Id: <1248734700.27815.10.camel@entropy>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
For Apache:http://modauthkerb.sourceforge.net/
Should do everything you want already.
Also, since group information is not stored on a Kerberos server, Iassume you're going to be looking up LDAP information. I have some codethat simplifies this somewhat, if you are using RFC 2307 (posix/NIS)compliant LDAP schemas. Other people have already written (and to befair, support much better) php libraries for handling active directoryLDAP lookups.
Cheers,Edward Murrell
On Mon, 2009-07-27 at 15:07 -0700, Bryan Boone wrote:> Hi everyone I have a noob question for ya.> > > > I need to develop a website for a company that uses kerberos login, the web server resides on a different> server than the kerberos server. Unfortunatly I cannot use the built in PHP functions for kerberos, so> I need to write my own C kerberos client as a PHP extension. Also to eliminate possible man-in-the-middle> attacks, I need to have the keytab file manually uploaded to the web server.> > > > So this web page will simply authenticate the users username and password and then pull that users group name> from the kerberos server (while having the keytab on the web server). There is no need to kerberize any> application here. Also I will not be needing to cache tickets or pass any tickets here. I will use> PHP sessions for the website. I just need the authentication side of kerberos once per user login on the website.> > > > I read the O'Reilly Kerberos book and still have some questions.> > > > My question is, what methods are best for accomplishing my task. Can this be accomplished with the> pam_krb5 api, the SASL for GSSAPI, or do I need to stick with native GSSAPI? Which one would be> easier for a noob?> > > > thanks> > _________________________________________________________________> Windows Live™ SkyDrive™: Store, access, and share your photos. See how.> http://windowslive.com/Online/SkyDrive?ocid=TXT_TAGLM_WL_CS_SD_photos_072009> ________________________________________________> Kerberos mailing list Kerberos@mit.edu> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
