Henrik Hodne wrote: > On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen <mik...@linet.dk>wrote: > >> Yes, that is possible. >> >> You need to set your LDAP to authenticate using SASL like this: >> >> # SASL >> sasl-host kerberos.cbs.dk >> sasl-realm CBS.DK >> sasl-secprop noplain,noanonymous,minssf=112 >> sasl-regexp uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth >> uid=$1,ou=People,dc=cbs,dc=dk > > Where does the SASL stuff go?
slapd.conf of OpenLDAP. If you have another LDAP server the config is different. You don't have to do anything for MS AD. >> Now put this in the HTTP config (Note the *KrbSaveCredentials*) >> >> AuthType Kerberos >> AuthName "Open Directory Login" >> KrbAuthRealms CBS.DK >> Krb5Keytab /etc/httpd/conf/httpd.keytab >> * KrbSaveCredentials on* >> KrbMethodNegotiate on >> KrbMethodK5Passwd on >> require valid-user > > This works, but I haven't got any browsers to forward tickets (that's > probably client-side though) You didn't say anything about your KDC. Is it MS AD? Ciao, Michael. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos