Thanks a lot Ken, I will get back to you soon after analyzing your detailed mail below.
On Mon, Jan 28, 2013 at 10:02 PM, Ken Dreyer <ktdre...@ktdreyer.com> wrote: > On Wed, Jan 16, 2013 at 6:05 AM, Deepak Bhatia <toreachdeep...@gmail.com> > wrote: > > Hi Ken, > > > > Thanks for your mail. > > > > Yes, we are using Apache as the web server. > > > > Also we are using ldap_bind to authenticate a user from active directory. > > > > Do you think if we replace ldap_bind by mod_authnz_ldap and then use > > modauthkerb, it will solve our problem ? > > > > Regards > > > > Deepak Bhatia > > > Hi Deepak, > > In order to use single-sign-on in a web application like this, you > should extend the web application to have a special "HTTP login" URL. > For example, let's say that currently your web application has a > username/password web form, and that form posts to something like > auth.php. Your auth.php file gets the username and password from > $_POST, and then submits those via the PHP ldap_bind() function. > > To add Kerberos support, you'd want to create a parallel > "authentication" URL, say, "auth-http.php". In terms of a GUI, for > your login form page, you can have users click a link that says "sign > in with Kerberos". > > You'll use mod_auth_kerb to protect that URL. You don't have to > protect the entire web app, just that single /auth-http.php page. This > will allow you to still support LDAP authentication, or even no > authentication for some parts. > > This auth-http.php page should check if the is set. If it is set, > then you know that Apache successfully authenticated the user, and you > can pass them through to your application, setting the appropriate > session cookies, etc. Depending on your use case, you may want to then > look this user up in LDAP to get more attributes, like a UID, email, > or full name. > > If the $_SERVER['REMOTE_USER'] variable is not set, then either the > user did not have proper Kerberos credentials, or the user's browser > is misconfigured. You can even show a custom 401 HTTP error to the > user, indicating that he or she should check their Kerberos ticket and > browser settings. > > I'm simplifying a lot, but hopefully you get the idea. It would be a > good idea to look at some existing open source web applications that > already implement this in order to understand it. Fedora's Koji > (Python) and Gitorious (Ruby) are the web apps I know that do this > already. I think Cacti has support for general "HTTP" authentication > as well, but I'm pretty sure that they assume you'll restrict the > entire web app ("/cacti/") with Apache. When you restrict only a > sub-URL (such as "/auth-http.php"), then you have the ability to > support Kerberos without making it a requirement to use your web app > at all. > > - Ken > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos