[31332] in Kerberos
RE: noob question on where to start with Kerberos
daemon@ATHENA.MIT.EDU (Edward Murrell)
Sat Aug 1 00:30:32 2009
From: Edward Murrell <edward@murrell.co.nz>
To: kerberos <kerberos@mit.edu>
In-Reply-To: <COL112-W8155F68512D5D5DF03514E7140@phx.gbl>
Date: Sat, 01 Aug 2009 16:29:29 +1200
Message-Id: <1249100969.6228.13.camel@fusion>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi Bryan,
The code is fairly tightly integrated with the Apache kerberos handler,so probably won't work for you. I intend to put it up on sourceforge atsome point (lack of arounds to it, not withstanding). At that point itshould be available to all.
On Mon, 2009-07-27 at 16:08 -0700, Bryan Boone wrote:> Hi Edward thanks for the reply. Unfortunatly due to certain> restrictions at this company I cannot use the apache mod. Also I> meant the LDAP group, sorry about the wrong use of> terminology. However the sample code you have would be very helpful> for me to learn from if you don't mind.> > > > > > > > > > Subject: Re: noob question on where to start with Kerberos> > From: edward@murrell.co.nz> > To: kerberos@mit.edu> > Date: Tue, 28 Jul 2009 10:44:59 +1200> > > > For Apache:> > http://modauthkerb.sourceforge.net/> > > > Should do everything you want already.> > > > Also, since group information is not stored on a Kerberos server, I> > assume you're going to be looking up LDAP information. I have some> code> > that simplifies this somewhat, if you are using RFC 2307 (posix/NIS)> > compliant LDAP schemas. Other people have already written (and to be> > fair, support much better) php libraries for handling active> directory> > LDAP lookups.> > > > Cheers,> > Edward Murrell> > > > On Mon, 2009-07-27 at 15:07 -0700, Bryan Boone wrote:> > > Hi everyone I have a noob question for ya.> > > > > > > > > > > > I need to develop a website for a company that uses kerberos> login, the web server resides on a different> > > server than the kerberos server. Unfortunatly I cannot use the> built in PHP functions for kerberos, so> > > I need to write my own C kerberos client as a PHP extension. Also> to eliminate possible man-in-the-middle> > > attacks, I need to have the keytab file manually uploaded to the> web server.> > > > > > > > > > > > So this web page will simply authenticate the users username and> password and then pull that users group name> > > from the kerberos server (while having the keytab on the web> server). There is no need to kerberize any> > > application here. Also I will not be needing to cache tickets or> pass any tickets here. I will use> > > PHP sessions for the website. I just need the authentication side> of kerberos once per user login on the website.> > > > > > > > > > > > I read the O'Reilly Kerberos book and still have some questions.> > > > > > > > > > > > My question is, what methods are best for accomplishing my task.> Can this be accomplished with the> > > pam_krb5 api, the SASL for GSSAPI, or do I need to stick with> native GSSAPI? Which one would be> > > easier for a noob?> > > > > > > > > > > > thanks> > > > > > _________________________________________________________________> > > Windows Live™ SkyDrive™: Store, access, and share your photos. See> how.> > >> http://windowslive.com/Online/SkyDrive?ocid=TXT_TAGLM_WL_CS_SD_photos_072009> > > ________________________________________________> > > Kerberos mailing list Kerberos@mit.edu> > > https://mailman.mit.edu/mailman/listinfo/kerberos> > > > ________________________________________________> > Kerberos mailing list Kerberos@mit.edu> > https://mailman.mit.edu/mailman/listinfo/kerberos> > > > > ______________________________________________________________________> Windows Live™ Hotmail®: Search, add, and share the web’s latest sports> videos. Check it out.
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
