Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

Hello,

Anyone out there whos running an Apache with mod_auth_kerb and
mod_auth_ldap?
Im running an Apache with mod_auth_kerb perfectly.

But we have users, which arent in our Windows AD, so they cant load the
websites protected through mod_auth_kerb.
Is it possible to fall back to mod_auth_ldap, so they can manualy type
in their login? (The Apache than check the user against the LDAP).

I cant get running both of these modules simultanely.

Thats my .htaccess

AuthType Kerberos
AuthName "Intranet Login"
AuthLDAPBindDN conny
AuthLDAPBindPassword w2kr2d2
AuthLDAPEnabled on
AuthLDAPURL
"ldap://w2kroot.konzern.intern:3268/dc=konzern,dc=intern?mail?sub?"
AuthLDAPAuthoritative off
KrbAuthRealms KONZERN.INTERN
KrbServiceName HTTP
Krb5Keytab /usr/local/apache2/current/conf/httpd.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
#KrbMethodK5Passwd on
KrbAuthoritative off
KrbDelegateBasic on
require valid-user

Apache: 2.0.55
Mod_auth_kerb: 5.0-rc7

If i enable log-level debug in my Apache, in can see, that he first
tries ALWAYS to check the user against the Ldap, than check the Kerberos
ticket.

My Goal:
Apache checks if the browser submitted a User (integrated windows
authentication). If that fails, hey passes through to a Basic Auth with
LDAP, and prompts the User for username/password.

With best regards
M.Djihangiroff
###########################################

This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to [url]http://www.f-secure.com/[/url]
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]

"Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff@persona.de> writes:
[color=blue]
> Anyone out there whos running an Apache with mod_auth_kerb and
> mod_auth_ldap? Im running an Apache with mod_auth_kerb perfectly.[/color]
[color=blue]
> But we have users, which arent in our Windows AD, so they cant load the
> websites protected through mod_auth_kerb. Is it possible to fall back
> to mod_auth_ldap, so they can manualy type in their login? (The Apache
> than check the user against the LDAP).[/color]
[color=blue]
> I cant get running both of these modules simultanely.[/color]

At least in Apache 2.0, it is extremely difficult in Apache to get two
authentication modules to co-exist; Apache by and large considers any
particular portion of the URL space to be protected by only one
authentication scheme (possibly combined with IP address restrictions).
This is partly a limitation of Apache (particularly the configuration
syntax) and partly related to difficulties in the HTTP protocol (you can't
easily negotiate and attempt multiple authentication protocols in turn).

However, that being said, mod_auth_kerb does support:

KrbDelegateBasic on | off (set to off by default)
If set to 'on' this options causes that Basic authentication is always
offered regardless setting the KrbMethodK[45]Pass directives. Then, if
a Basic authentication header arrives authentication decision is passed
along to another modules. This option is a work-around for insufficient
authentication scheme in Apache (Apache 2.1 seems to provide better support
for multiple various authentication mechanisms).

The trick is that for this to work properly, mod_auth_kerb needs to go
first and then the other authentication module needs to follow
afterwards in the processing stack. That's something that modules can
control in their own C code to some extent, but I don't know how you'd
control this from outside without making code modifications.

There is in theory a reworking of this in Apache 2.2, but I've been
completely unable to find any documentation for the changes outside of the
tantalizing hint in the Apache 2.2 release notes:

Authn/Authz
The bundled authentication and authorization modules have been renamed
along the following lines:

* mod_auth_* -> Modules that implement an HTTP authentication mechanism
* mod_authn_* -> Modules that provide a backend authentication provider
* mod_authz_* -> Modules that implement authorization (or access)
* mod_authnz_*-> Module that implements both authentication & authorization

There is a new authentication backend provider scheme which greatly
eases the construction of new authentication backends.

If anyone knows where this is all fully documented, I'd love to hear it.

--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>

On Thu, 5 Oct 2006 08:03:51 +0200
"Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff@persona.de> wrote:
[color=blue]
> Hello,
>
> Anyone out there whos running an Apache with mod_auth_kerb and
> mod_auth_ldap?
> Im running an Apache with mod_auth_kerb perfectly.
>
> But we have users, which arent in our Windows AD, so they cant load the
> websites protected through mod_auth_kerb.
> Is it possible to fall back to mod_auth_ldap, so they can manualy type
> in their login? (The Apache than check the user against the LDAP).[/color]

I don't know the answer to this (my understanding is that trying to
stack mod_auth_* modules together is not practical) but I just want to
point out that you can use krb5_get_init_creds_password to do Basic so
there's no reason to use LDAP at all. In fact using LDAP as a make-shift
authentication service is crude and insecure. Wether or not mod_auth_kerb
can do it I have no idea.

Mike

--
Michael B Allen
PHP Active Directory SSO
[url]http://www.ioplex.com/[/url]
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]

Michael B Allen <mba2000@ioplex.com> writes:[color=blue]
> "Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff@persona.de> wrote:[/color]
[color=blue][color=green]
>> Anyone out there whos running an Apache with mod_auth_kerb and
>> mod_auth_ldap?
>> Im running an Apache with mod_auth_kerb perfectly.[/color][/color]
[color=blue][color=green]
>> But we have users, which arent in our Windows AD, so they cant load the
>> websites protected through mod_auth_kerb.
>> Is it possible to fall back to mod_auth_ldap, so they can manualy type
>> in their login? (The Apache than check the user against the LDAP).[/color][/color]
[color=blue]
> I don't know the answer to this (my understanding is that trying to
> stack mod_auth_* modules together is not practical) but I just want to
> point out that you can use krb5_get_init_creds_password to do Basic so
> there's no reason to use LDAP at all. In fact using LDAP as a make-shift
> authentication service is crude and insecure. Wether or not mod_auth_kerb
> can do it I have no idea.[/color]

mod_auth_kerb can (via BasicAuth), but you need to have the passwords in
some Kerberos database. It doesn't help if they're only in LDAP.

--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>

On Thu, 05 Oct 2006 10:13:53 -0700
Russ Allbery <rra@stanford.edu> wrote:
[color=blue]
> Michael B Allen <mba2000@ioplex.com> writes:[color=green]
> > "Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff@persona.de> wrote:[/color]
>[color=green][color=darkred]
> >> Anyone out there whos running an Apache with mod_auth_kerb and
> >> mod_auth_ldap?
> >> Im running an Apache with mod_auth_kerb perfectly.[/color][/color]
>[color=green][color=darkred]
> >> But we have users, which arent in our Windows AD, so they cant load the
> >> websites protected through mod_auth_kerb.
> >> Is it possible to fall back to mod_auth_ldap, so they can manualy type
> >> in their login? (The Apache than check the user against the LDAP).[/color][/color]
>[color=green]
> > I don't know the answer to this (my understanding is that trying to
> > stack mod_auth_* modules together is not practical) but I just want to
> > point out that you can use krb5_get_init_creds_password to do Basic so
> > there's no reason to use LDAP at all. In fact using LDAP as a make-shift
> > authentication service is crude and insecure. Wether or not mod_auth_kerb
> > can do it I have no idea.[/color]
>
> mod_auth_kerb can (via BasicAuth), but you need to have the passwords in
> some Kerberos database. It doesn't help if they're only in LDAP.[/color]

I'm a little confused by this statement. If mod_auth_kerb uses
krb5_get_init_creds_password it shouldn't care where passwords are. Also,
AD is a "Kerberos database" and does not store passwords in the DIT
(actually it doesn't store passwords at all AFAIK, only keys).

Mike

--
Michael B Allen
PHP Active Directory SSO
[url]http://www.ioplex.com/[/url]
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]

Michael B Allen <mba2000@ioplex.com> writes:[color=blue]
> Russ Allbery <rra@stanford.edu> wrote:[/color]
[color=blue][color=green]
>> mod_auth_kerb can (via BasicAuth), but you need to have the passwords
>> in some Kerberos database. It doesn't help if they're only in LDAP.[/color][/color]
[color=blue]
> I'm a little confused by this statement. If mod_auth_kerb uses
> krb5_get_init_creds_password it shouldn't care where passwords are.[/color]

It only does Kerberos authentication. If the passwords are stored as
encrypted hashes in an LDAP directory server (which is what people
normally mean when they talk about "LDAP authentication"), it doesn't
help.
[color=blue]
> Also, AD is a "Kerberos database" and does not store passwords in the
> DIT (actually it doesn't store passwords at all AFAIK, only keys).[/color]

Yes, the original question was how to handle authentication of the users
at that site who *aren't* in AD. The original poster wasn't completely
clear on where the passwords *are* stored, but based on the question, I
presume they're encrypted hashes in LDAP.

You're correct and I was sloppy in my wording -- normally, Kerberos KDCs
only store keys, not passwords.

--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]

On Thu, 05 Oct 2006 11:10:27 -0700
Russ Allbery <rra@stanford.edu> wrote:
[color=blue]
> Michael B Allen <mba2000@ioplex.com> writes:[color=green]
> > Russ Allbery <rra@stanford.edu> wrote:[/color]
>[color=green][color=darkred]
> >> mod_auth_kerb can (via BasicAuth), but you need to have the passwords
> >> in some Kerberos database. It doesn't help if they're only in LDAP.[/color][/color]
>[color=green]
> > I'm a little confused by this statement. If mod_auth_kerb uses
> > krb5_get_init_creds_password it shouldn't care where passwords are.[/color]
>
> It only does Kerberos authentication. If the passwords are stored as
> encrypted hashes in an LDAP directory server (which is what people
> normally mean when they talk about "LDAP authentication"), it doesn't
> help.[/color]

Actually I think mod_auth_ldap just uses ldap_bind functions to
"authenticate" so the passwords "stored as encrypted hashes" part still
confuses me a little.

But you're right. I see now that the OP was asking about Basic for users
NOT in AD so it doesn't sound like he would be able to use mod_auth_kerb.

Mike

--
Michael B Allen
PHP Active Directory SSO
[url]http://www.ioplex.com/[/url]
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]

Michael B Allen <mba2000@ioplex.com> writes:[color=blue]
> Russ Allbery <rra@stanford.edu> wrote:[/color]
[color=blue][color=green]
>> It only does Kerberos authentication. If the passwords are stored as
>> encrypted hashes in an LDAP directory server (which is what people
>> normally mean when they talk about "LDAP authentication"), it doesn't
>> help.[/color][/color]
[color=blue]
> Actually I think mod_auth_ldap just uses ldap_bind functions to
> "authenticate" so the passwords "stored as encrypted hashes" part still
> confuses me a little.[/color]

The typical LDAP server can usually authenticate users in several
different ways, from GSSAPI via SASL to doing callouts behind the scenes
to verify a provided password against Kerberos. Far and away the most
common way of using an LDAP server to do authentication, however, is to
store an MD5 or similar hash of the password in an attribute and then
having the server compare hashes when the user tries to bind. I usually
assume that method is what people are talking about when they say that
they want to authenticate against LDAP, since people who have set up other
things usually know to use more specific terminology.

--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]

I had this problem a few days ago. Divide up your clients by IP Range.
Put your Kerberized clients on one subnet, non-Kerberized clients on
another subnet.
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]