httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Delle Grazie <brett.dellegra...@intact-is.com>
Subject RE: [users@httpd] mod_authnz_ldap with kerberos?
Date Thu, 21 Oct 2010 09:31:45 GMT
Hi,

On Thu, 2010-10-21 at 08:51 +0200, Assarsson, Emil wrote:
> >> I use mod_authnz_ldap today with simple ldap bind.
> >> Our security team wants me to use to use Kerberos instead to make it more secure.
> >> This will allow them to specify from where the service account can login and
will also protect the credentials from eavesdropping.
> >> Is it possible to make mod_authnz_ldap to use a keytab instead? 
> >> Or do anyone have a suggestion how to solve this in a even better way?
> > mod_auth_kerb: http://modauthkerb.sourceforge.net/
> > Complex but does work, even with Active Directory.
> 
> I am using mod_auth_kerb today to do the accual authentication. I only use mod_authnz_ldap
to do the authorization based on AD security groups.
> What I need is better security for the ldap bind mod_authnz_ldap -> AD. Do you mean
that I should be able to use the kinit done by mod_auth_kerb?
> 
Ah sorry, I mis-understood your question. You mean you want to use
Kerberos credentials to communicate with the LDAP server (in this case,
an AD server)?

I haven't tried that, instead I've used a low-privilege user over SSL
(not TLS here) communicating with the global catalogue server - that
does work.

I think you would have to specify the user as a gssapi login (see
openldap for syntax) and specify an explicit credentials cache for
apache using the KRB5CC environment variable. But please bare in mind
I've never tried this and I don't know if its even possible let alone if
it would work.

Hope this helps.

> 
> Best regards,
> Emil Assarsson 
> 
> 
> 
> 
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________

-- 
Best Regards,

Brett Delle Grazie

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message