Re: Kerberos 5 and Mysql
If I had to do this, I would use MariaDB (based on the same source code as MySQL): https://dev.mysql.com/doc/refman/5.5/en/pam-authentication-plugin.html https://kb.askmonty.org/en/pam-authentication-plugin/ Rohit On 01/28/2013 11:53 PM, Benjamin Kaduk wrote: > On Sun, 27 Jan 2013, Fabian von Romberg wrote: > >> Hi All, >> >> is it possible to integrate Kerberos 5 with Mysql as backend? > Many things are possible, with varying amounts of effort. I don't know of > anyone who has done so, and it would probably require substantial > engineering time to do so. There might be a situation in which it makes > sense to expend that effort, but it seems more likely that a preexisting > backend such as LDAP is a more appriate use of resources. > > -Ben Kaduk > > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- Rohit Mehta Computer Engineer University of Connecticut Engineering Computing Services 371 Fairfield Road Unit 2031 Storrs, CT 06269-2031 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos 5 and Mysql
On Sun, 27 Jan 2013, Fabian von Romberg wrote: > Hi All, > > is it possible to integrate Kerberos 5 with Mysql as backend? Many things are possible, with varying amounts of effort. I don't know of anyone who has done so, and it would probably require substantial engineering time to do so. There might be a situation in which it makes sense to expend that effort, but it seems more likely that a preexisting backend such as LDAP is a more appriate use of resources. -Ben Kaduk Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Hi
Thanks a lot Ken, I will get back to you soon after analyzing your detailed
mail below.
On Mon, Jan 28, 2013 at 10:02 PM, Ken Dreyer wrote:
> On Wed, Jan 16, 2013 at 6:05 AM, Deepak Bhatia
> wrote:
> > Hi Ken,
> >
> > Thanks for your mail.
> >
> > Yes, we are using Apache as the web server.
> >
> > Also we are using ldap_bind to authenticate a user from active directory.
> >
> > Do you think if we replace ldap_bind by mod_authnz_ldap and then use
> > modauthkerb, it will solve our problem ?
> >
> > Regards
> >
> > Deepak Bhatia
>
>
> Hi Deepak,
>
> In order to use single-sign-on in a web application like this, you
> should extend the web application to have a special "HTTP login" URL.
> For example, let's say that currently your web application has a
> username/password web form, and that form posts to something like
> auth.php. Your auth.php file gets the username and password from
> $_POST, and then submits those via the PHP ldap_bind() function.
>
> To add Kerberos support, you'd want to create a parallel
> "authentication" URL, say, "auth-http.php". In terms of a GUI, for
> your login form page, you can have users click a link that says "sign
> in with Kerberos".
>
> You'll use mod_auth_kerb to protect that URL. You don't have to
> protect the entire web app, just that single /auth-http.php page. This
> will allow you to still support LDAP authentication, or even no
> authentication for some parts.
>
> This auth-http.php page should check if the is set. If it is set,
> then you know that Apache successfully authenticated the user, and you
> can pass them through to your application, setting the appropriate
> session cookies, etc. Depending on your use case, you may want to then
> look this user up in LDAP to get more attributes, like a UID, email,
> or full name.
>
> If the $_SERVER['REMOTE_USER'] variable is not set, then either the
> user did not have proper Kerberos credentials, or the user's browser
> is misconfigured. You can even show a custom 401 HTTP error to the
> user, indicating that he or she should check their Kerberos ticket and
> browser settings.
>
> I'm simplifying a lot, but hopefully you get the idea. It would be a
> good idea to look at some existing open source web applications that
> already implement this in order to understand it. Fedora's Koji
> (Python) and Gitorious (Ruby) are the web apps I know that do this
> already. I think Cacti has support for general "HTTP" authentication
> as well, but I'm pretty sure that they assume you'll restrict the
> entire web app ("/cacti/") with Apache. When you restrict only a
> sub-URL (such as "/auth-http.php"), then you have the ability to
> support Kerberos without making it a requirement to use your web app
> at all.
>
> - Ken
>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Kerberos 5 and Mysql
Hi All, is it possible to integrate Kerberos 5 with Mysql as backend? Thanks and regards, Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Hi
On Wed, Jan 16, 2013 at 6:05 AM, Deepak Bhatia wrote:
> Hi Ken,
>
> Thanks for your mail.
>
> Yes, we are using Apache as the web server.
>
> Also we are using ldap_bind to authenticate a user from active directory.
>
> Do you think if we replace ldap_bind by mod_authnz_ldap and then use
> modauthkerb, it will solve our problem ?
>
> Regards
>
> Deepak Bhatia
Hi Deepak,
In order to use single-sign-on in a web application like this, you
should extend the web application to have a special "HTTP login" URL.
For example, let's say that currently your web application has a
username/password web form, and that form posts to something like
auth.php. Your auth.php file gets the username and password from
$_POST, and then submits those via the PHP ldap_bind() function.
To add Kerberos support, you'd want to create a parallel
"authentication" URL, say, "auth-http.php". In terms of a GUI, for
your login form page, you can have users click a link that says "sign
in with Kerberos".
You'll use mod_auth_kerb to protect that URL. You don't have to
protect the entire web app, just that single /auth-http.php page. This
will allow you to still support LDAP authentication, or even no
authentication for some parts.
This auth-http.php page should check if the is set. If it is set,
then you know that Apache successfully authenticated the user, and you
can pass them through to your application, setting the appropriate
session cookies, etc. Depending on your use case, you may want to then
look this user up in LDAP to get more attributes, like a UID, email,
or full name.
If the $_SERVER['REMOTE_USER'] variable is not set, then either the
user did not have proper Kerberos credentials, or the user's browser
is misconfigured. You can even show a custom 401 HTTP error to the
user, indicating that he or she should check their Kerberos ticket and
browser settings.
I'm simplifying a lot, but hopefully you get the idea. It would be a
good idea to look at some existing open source web applications that
already implement this in order to understand it. Fedora's Koji
(Python) and Gitorious (Ruby) are the web apps I know that do this
already. I think Cacti has support for general "HTTP" authentication
as well, but I'm pretty sure that they assume you'll restrict the
entire web app ("/cacti/") with Apache. When you restrict only a
sub-URL (such as "/auth-http.php"), then you have the ability to
support Kerberos without making it a requirement to use your web app
at all.
- Ken
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Mantenha contato comigo através do LinkedIn.
LinkedIn Eu gostaria de adicioná-lo à minha rede profissional no LinkedIn. -Bruno Bruno Steven -- Brasil Confirme que você conhece Bruno Steven: https://www.linkedin.com/e/-l3q3t1-hchthqr6-1/isd/10749360497/ith1X43j/?hs=false&tok=2LIlQ_DZrJJlA1 -- Você está recebendo convites de conexão por e-mail. Clique aqui para parar de recebê-los: http://www.linkedin.com/e/-l3q3t1-hchthqr6-1/Ax7DYp7ra2P_fCZ_GW2D0Z8pt_J/goo/kerberos%40mit%2Eedu/20061/I3568260283_1/?hs=false&tok=0yfV6PdkjJJlA1 (c) 2012 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043 - EUA. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Mantenha contato comigo através do LinkedIn.
LinkedIn Eu gostaria de adicioná-lo à minha rede profissional no LinkedIn. -Bruno Bruno Steven -- Brasil Confirme que você conhece Bruno Steven: https://www.linkedin.com/e/-l3q3t1-hchth4yu-x/isd/10749360497/ith1X43j/?hs=false&tok=2LIlQ_DZrJJlA1 -- Você está recebendo convites de conexão por e-mail. Clique aqui para parar de recebê-los: http://www.linkedin.com/e/-l3q3t1-hchth4yu-x/Ax7DYp7ra2P_fCZ_GW2D0Z8pt_J/goo/kerberos%40mit%2Eedu/20061/I3568255308_1/?hs=false&tok=2WGZdMvfTJJlA1 (c) 2012 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043 - EUA. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
