Hi, On Thu, 2010-10-21 at 08:51 +0200, Assarsson, Emil wrote: > >> I use mod_authnz_ldap today with simple ldap bind. > >> Our security team wants me to use to use Kerberos instead to make it more > >> secure. > >> This will allow them to specify from where the service account can login > >> and will also protect the credentials from eavesdropping. > >> Is it possible to make mod_authnz_ldap to use a keytab instead? > >> Or do anyone have a suggestion how to solve this in a even better way? > > mod_auth_kerb: http://modauthkerb.sourceforge.net/ > > Complex but does work, even with Active Directory. > > I am using mod_auth_kerb today to do the accual authentication. I only use > mod_authnz_ldap to do the authorization based on AD security groups. > What I need is better security for the ldap bind mod_authnz_ldap -> AD. Do > you mean that I should be able to use the kinit done by mod_auth_kerb? > Ah sorry, I mis-understood your question. You mean you want to use Kerberos credentials to communicate with the LDAP server (in this case, an AD server)?
I haven't tried that, instead I've used a low-privilege user over SSL (not TLS here) communicating with the global catalogue server - that does work. I think you would have to specify the user as a gssapi login (see openldap for syntax) and specify an explicit credentials cache for apache using the KRB5CC environment variable. But please bare in mind I've never tried this and I don't know if its even possible let alone if it would work. Hope this helps. > > Best regards, > Emil Assarsson > > > > > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > For more information please visit http://www.messagelabs.com/email > ______________________________________________________________________ -- Best Regards, Brett Delle Grazie ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
