Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be???
|
View:
New views
8 Messages
—
Rating Filter:
Alert me
|
 |
Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be???
by kerbie_newbie
::
Rate this Message:
Hi,
I'm pretty new to this so please excuse any confusion that creeps in ... I'm hosting a perl based web service on a Linux/Apache box that is accessed by Windows workstations. I have Kerberos 5 (MIT) wrapping a particular perl cgi script and all works fine for users who have an Active Directory account. I have recently come across a user who, for some reason, had an expired TGT ticket on his PC. I'm not sure how this happens as it looks to me like every time you logon/logoff or lock/unlock your Windows PC, your tickets are managed for you so you always have a valid TGT. As he is on a business PC, I'm not sure how this happens ... anyways. What I have been told is that all other systems in the business (that are all hosted on Windows based servers) will automatically fail over to some forms based or ldap authentication/ADAM if the initial Kerberos authentication fails. I have been asked to do the same and provide a means for non-AD and expired AD/TGT holder users to authenticate against ADAM. As far as I can tell, when using mod_auth_kerb and selecting kerberos as the authtype it is pretty much Kerberos or nothing ... is this correct? I can see no way to intercept the failure. I think what would be needed is to combine the modules so that Kerberos is tried first and then maybe something like mod_auth_ldap. I have googled this to death and cannot see a standard way of doing it (and I'm not touching the internal Kerberos module code as suggested on one site!!). I have been told I *must* get this working. What can I do or is there a 'simple' explanation I can give as to why I cannot do it. Thanks in advance, kerbie_newbie |
|
|
Re: Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be???
by Dax Kelson-2
::
Rate this Message:
On Mon, 2009-04-06 at 11:47 -0700, kerbie_newbie wrote:
> As far as I can tell, when using mod_auth_kerb and selecting kerberos as the > authtype it is pretty much Kerberos or nothing ... is this correct? I can > see no way to intercept the failure. This not correct. What you want are these two directives: KrbMethodNegotiate On KrbMethodK5Passwd On The second directive gives you fallback to interactive password prompting if the user doesn't have a valid TGT. Dax Kelson Guru Labs ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
Re: Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be???
by Javier Palacios-2
::
Rate this Message:
On Tue, Apr 7, 2009 at 5:50 PM, Dax Kelson <dkelson@...> wrote:
> On Mon, 2009-04-06 at 11:47 -0700, kerbie_newbie wrote: > >> As far as I can tell, when using mod_auth_kerb and selecting kerberos as the >> authtype it is pretty much Kerberos or nothing ... is this correct? I can >> see no way to intercept the failure. > > This not correct. What you want are these two directives: > > KrbMethodNegotiate On > KrbMethodK5Passwd On If I remember right, there is a directive called something like authoritative. I did never use it but it is used to pass authentication to other modules (again, if I remember well). That is exactly what you need so instead of enabling password authentication, you need to stack the ldap authentication also, and let proceed if negotiate fails. Anyway, take into account that both fallbacks require a secure server, which is not the case for credential based authentication. Javier Palacios ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
Re: Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be???
by kerbie_newbie
::
Rate this Message:
Thanks for the responses ... still a little confused though. In another thread I've read
" Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap ... At least in Apache 2.0, it is extremely difficult in Apache to get two authentication modules to co-exist; Apache by and large considers any particular portion of the URL space to be protected by only one authentication scheme (possibly combined with IP address restrictions). This is partly a limitation of Apache (particularly the configuration syntax) and partly related to difficulties in the HTTP protocol (you can't easily negotiate and attempt multiple authentication protocols in turn). However, that being said, mod_auth_kerb does support: KrbDelegateBasic on | off (set to off by default) If set to 'on' this options causes that Basic authentication is always offered regardless setting the KrbMethodK[45]Pass directives. Then, if a Basic authentication header arrives authentication decision is passed along to another modules. This option is a work-around for insufficient authentication scheme in Apache (Apache 2.1 seems to provide better support for multiple various authentication mechanisms). The trick is that for this to work properly, mod_auth_kerb needs to go first and then the other authentication module needs to follow afterwards in the processing stack. That's something that modules can control in their own C code to some extent, but I don't know how you'd control this from outside without making code modifications." ... " Also, my server is not secure so Basic Authentication (which by my reckoning does not authenticate against AD) is not an option. Thanks again.
|
|
|
Re: Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be???
by kerbie_newbie
::
Rate this Message:
Actually, since you say
>>Anyway, take into account that both fallbacks require a secure server, >>which is not the case for credential based authentication. you mean that I would need to have some local storage (on my Linux box) of all user ids or some sort of synchronization with Active Directory? (... or have I misunderstood?). There are more than 50,000 users ... Thanks again
|
|
|
Re: Linux/Apache - combine mod_auth_kerb and ldap - to be or not tobe???
by Christopher D. Clausen
::
Rate this Message:
kerbie_newbie <zarafield@...> wrote:
> At least in Apache 2.0, it is extremely difficult in Apache to get two > authentication modules to co-exist; Apache by and large considers any > particular portion of the URL space to be protected by only one > authentication scheme (possibly combined with IP address > restrictions). This is partly a limitation of Apache (particularly > the configuration syntax) and partly related to difficulties in the > HTTP protocol (you can't easily negotiate and attempt multiple > authentication protocols in turn). from: http://modauthkerb.sourceforge.net/configure.html KrbAuthoritative off will allow you to pass to authn/authz to another module. I've used a module that verifies against OpenAFS PTS groups and I assume LDAP works the same way. <<CDC ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
|
|
|
Re: Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be???
by kerbie_newbie
::
Rate this Message:
Will be setting up ldap authentication and trying the suggestions to mix the two ...
Looking back to the main reason for this query - Windows users with expired TGT's. (Env: Apache2, MIT Kerberos 5, mod_auth_kerb, IE7, Active Directory KDC) Current directives: AuthType Kerberos AuthName "... login" KrbMethodNegotiate on KrbAuthRealms x y z KrbMethodK5Passwd on require valid-user Krb5Keytab /etc/krb5.keytab KrbServiceName HTTP/webservice@x KrbSaveCredentials on I am also connecting to AD on its Global port ... I have users from several realms, eg. me@x.x.x, you@y.y.y I have a keytab 'x|webservice' which, seems to me, relates to realm x. (?) For authentication across realms with valid TGT's, they keytab realm does not pose any issues as I have several realms included in my KrbAuthRealms directive. However, if a user's ticket granting ticket has expired - can Kerberos not obtain a new ticket granting ticket? I thought this was happening when some users were prompted for their usr/pwd and that Kerberos was using it's internal kinit to get a new TGT from Active Directory? If it can, is it restricted to the domain on the keytab or by some delegation setting in Active Directory? If it can't, why is it prompting for a usr/pwd instead of just showing the 404 error? Another theory I had was related to DNS suffix search lists ... most, if not all of the users that cannot authenticate when being prompted do not have their active directory domain at the top of the list. I read that this is how Kerberos creates tickets and was thinking that if they were trying to get a TGT with a realm that is not in the 'trusted realms', then this is why they could not authenticate. This was further spurred on by the error logs containing something along the lines of 'could not find requested realm'. I have since been 'advised' that the DNS should bear no relevance but this similarity keep appearing. Final concern (for this evening at least) is that these users are getting expired TGT's in the first place. For me, locking/unlocking (CTL-AlT-Delete) AND when it is automatically locked (company policy after 10 mins)through idle, I get a renewed ticket with a new expire time 7 days in the future. Could this whole problem be stemming from some issue on their PC or Active Directory account? Thanks in advance for your thoughts!
|
| Free embeddable forum powered by Nabble | Forum Help |
