[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Apache: How to combine kerberos with ldap?

On Jul 30, 2007, at 10:31 AM, Michael B Allen wrote:

> On Mon, 30 Jul 2007 16:52:47 +0300
> "Hai Zaar" <haizaar@gmail.com> wrote:
>> On 7/30/07, John Nietzsche <john.nietzsche@gmail.com> wrote:
>>> I am interested about this matter too.
>>> Would you mind sending me the answers you get?
>> +1
>> Thanks in advance.
>>> Thanks a lot for your time and cooperation.
>>> Best regards.
>>> On 7/30/07, Florian Erfurth <floh-erfurth@arcor.de> wrote:
>>>> Hi, I want to configure apache webserver so it tries to  
>>>> authentificate with
>>>> kerberos (AuthType Kerberos) first. If it fails, then it should  
>>>> do a
>>>> LDAP-authentification (AuthType Basic).
>>>> How can I do that? Is there any documentation about that?
>>>> I'm using apache 2.0.59.
> Well this question doesn't really have much to do with Kerberos but if
> you really want to know I can tell you what we do in our product.
> When the HTTP SSO code is invoked it sends the WWW-Authenticate:  
> Negotiate
> response but with a body tag that has an onLoad() handler that  
> redirects
> the user to a login page. If the browser can do Kerberos it will and
> the onLoad() handler is never executed. If it can't do Kerberos it  
> runs
> onLoad and the user is directed to a login page.
> Unfortunately I think you would have to modify mod_auth_kerb to  
> send an
> onLoad handler to get such a thing to work (although I don't really  
> know
> much about mod_auth_kerb, I could very well be wrong about this).
> Mike


mod_auth_kerb will fall-back to basic auth if HTTP-Negotiate fails.   
Is there something you're asking for that it doesn't do?

AFAIK all current, major browsers will do the client side.  Only  
question is if Kerberos and the browser's configuration has been set  
up for it.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu