[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Apache: How to combine kerberos with ldap?

On Aug 2, 2007, at 1:56 AM, Florian Erfurth wrote:

> Hi Henry!
> Henry B. Hotz wrote:
>> On 7/30/07, Florian Erfurth <floh-erfurth@arcor.de> wrote:
>>> Hi, I want to configure apache webserver so it tries to  
>>> authentificate
>>> with kerberos (AuthType Kerberos) first. If it fails, then it  
>>> should do a
>>> LDAP-authentification (AuthType Basic).
>>> How can I do that? Is there any documentation about that?
>>> I'm using apache 2.0.59.
>> My apologies, I didn't read the original post carefully enough.
> No problem. ;)
>> I don't know if it actually works, but mod_authnz_ldap in Apache 2.2
>> has the intent of supporting ldap authorization independent of the
>> authentication step.  http://httpd.apache.org/docs/2.2/mod/
>> mod_authnz_ldap.html
> Hm... we aren't ready to upgrade apache from 2.0.59 to 2.2.xx. Sorry.
>> I know for certain that mod_webauthldap from Stanford is designed to
>> work with mod_auth_kerb and do ldap authorization.  http://
>> webauth.stanford.edu/manual/mod/mod_webauthldap.html
> I didn't know about webauthldap, so I'll read the docs about that.  
> I hope
> it's a solution for my request.
> Thank you!
> Floh

You don't need to buy into the whole system to use that one module.   
You do however have to download a lot of other stuff in the tarball  
that includes it.  In other words, it's interesting and you might  
want to use the rest of the system, but don't sweat it.

My biggest issue with mod_webauthldap is that it doesn't support  
arbitrary filters.  It shouldn't be hard to add though and I'm sure  
Russ would accept patches for the purpose.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu