> Hello, > > I have a few more questions > > > On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen > <mik...@linet.dk> wrote: > > Hi Henrik > > Yes, that is possible. > > You need to set your LDAP to authenticate using SASL like > this: > > # SASL > sasl-host kerberos.cbs.dk > sasl-realm CBS.DK > sasl-secprop noplain,noanonymous,minssf=112 > sasl-regexp uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth > uid=$1,ou=People,dc=cbs,dc=dk > > Where does the SASL stuff go?
This goes in "/etc/openldap/slapd.conf" assuming you are using OpenLDAP. > > > > Now put this in the HTTP config (Note the KrbSaveCredentials) > > > AuthType Kerberos > AuthName "Open Directory Login" > KrbAuthRealms CBS.DK > Krb5Keytab /etc/httpd/conf/httpd.keytab > KrbSaveCredentials on > KrbMethodNegotiate on > KrbMethodK5Passwd on > require valid-user > > > This works, but I haven't got any browsers to forward tickets (that's > probably client-side though) > To get the browsers to forward tickets you need to: Firefox: Type "about:config" in the Location bar. Type "nego" in the filter and dobbelt click "network.negotiate-auth.delegation-uris" and "network.negotiate-auth.trusted-uris" and type in your domain name (in my example I have "cbs.dk" in both) IE: You need to change a regedit setting like this: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos \Domains\CBS.DK] "KdcNames"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,2e,00,63,00,\ 62,00,73,00,2e,00,64,00,6b,00,00,00,00,00 "RealmFlags"=dword:00000006 (KdcNames is your list of kerberos servers) (http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/95141.mspx?mfr=true) RealmFlags tells that it is OK to delegate for the domain "cbs.dk" (off course change to your own domain) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cbs.dk] "*"=dword:00000001 This sets "cbs.dk" in trusted zone. I also had a problem getting this to work and it turned out to be a problem with "mod_auth_kerb" I had to recompile it, using it's internal GSSAPI support and not MIT Kerberos under RHEL5 Don't know you setup, If it is not delegating then recompile with internal GSSAPI support. Or use these: http://yum.cbs.dk/rhel-5Server-x86_64/RPMS/mod_auth_kerb-5.3-6.x86_64.rpm http://yum.cbs.dk/rhel-5Server-i386/RPMS/mod_auth_kerb-5.3-6.i386.rpm I'm off for a week, so hope you can get it to work. > > Now do this in PHP > > if (!isset($_SERVER["KRB5CCNAME"])) { > return false; > } > putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']); > > > I often get an error message telling me $_SERVER['KRB5CCNAME'] doesn't > exist (mostly after the first time I view something, disappears when > changing the file). > > No sure what you mean. > > $ds = @ldap_connect($this->LdapHost); > @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); > > if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) == > false) { > return false > } > > > > Med Venlig Hilsen / Kind Regards > > > Mikkel Kruse > Johnsen > Adm.Dir. > > Linet > Ørholmgade 6 st > tv > Copenhagen N > 2200 Denmark > > Work: +45 > 21287793 > Mobile: +45 > 21287793 > Email: > mik...@linet.dk > IM: > mik...@linet.dk > (MSN) > Professional > Profile > Healthcare > > > Network > Consultant > > > lør, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne: > > > Hello, > > > > I am in the process of creating a web panel to change LDAP > attributes. The > > web panel is currently using mod_auth_kerb to authenticate, which > is working > > beautifully. What we need is to authenticate to the LDAP server > with that > > ticket. Is that even possible? > > > > -Henrik > > ________________________________________________ > > Kerberos mailing list Kerberos@mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > -Henrik > > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos