Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap? - Kerberos

This is a discussion on Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap? - Kerberos ; Hello, Anyone out there whos running an Apache with mod_auth_kerb and mod_auth_ldap? Im running an Apache with mod_auth_kerb perfectly. But we have users, which arent in our Windows AD, so they cant load the websites protected through mod_auth_kerb. Is it ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

  1. Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

    Hello,

    Anyone out there whos running an Apache with mod_auth_kerb and
    mod_auth_ldap?
    Im running an Apache with mod_auth_kerb perfectly.

    But we have users, which arent in our Windows AD, so they cant load the
    websites protected through mod_auth_kerb.
    Is it possible to fall back to mod_auth_ldap, so they can manualy type
    in their login? (The Apache than check the user against the LDAP).

    I cant get running both of these modules simultanely.

    Thats my .htaccess

    AuthType Kerberos
    AuthName "Intranet Login"
    AuthLDAPBindDN conny
    AuthLDAPBindPassword w2kr2d2
    AuthLDAPEnabled on
    AuthLDAPURL
    "ldap://w2kroot.konzern.intern:3268/dc=konzern,dc=intern?mail?sub?"
    AuthLDAPAuthoritative off
    KrbAuthRealms KONZERN.INTERN
    KrbServiceName HTTP
    Krb5Keytab /usr/local/apache2/current/conf/httpd.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd on
    #KrbMethodK5Passwd on
    KrbAuthoritative off
    KrbDelegateBasic on
    require valid-user

    Apache: 2.0.55
    Mod_auth_kerb: 5.0-rc7

    If i enable log-level debug in my Apache, in can see, that he first
    tries ALWAYS to check the user against the Ldap, than check the Kerberos
    ticket.

    My Goal:
    Apache checks if the browser submitted a User (integrated windows
    authentication). If that fails, hey passes through to a Basic Auth with
    LDAP, and prompts the User for username/password.

    With best regards
    M.Djihangiroff
    ###########################################

    This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
    For more information, connect to http://www.f-secure.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

    "Djihangiroff, Matthias (KC-DD)" writes:

    > Anyone out there whos running an Apache with mod_auth_kerb and
    > mod_auth_ldap? Im running an Apache with mod_auth_kerb perfectly.


    > But we have users, which arent in our Windows AD, so they cant load the
    > websites protected through mod_auth_kerb. Is it possible to fall back
    > to mod_auth_ldap, so they can manualy type in their login? (The Apache
    > than check the user against the LDAP).


    > I cant get running both of these modules simultanely.


    At least in Apache 2.0, it is extremely difficult in Apache to get two
    authentication modules to co-exist; Apache by and large considers any
    particular portion of the URL space to be protected by only one
    authentication scheme (possibly combined with IP address restrictions).
    This is partly a limitation of Apache (particularly the configuration
    syntax) and partly related to difficulties in the HTTP protocol (you can't
    easily negotiate and attempt multiple authentication protocols in turn).

    However, that being said, mod_auth_kerb does support:

    KrbDelegateBasic on | off (set to off by default)
    If set to 'on' this options causes that Basic authentication is always
    offered regardless setting the KrbMethodK[45]Pass directives. Then, if
    a Basic authentication header arrives authentication decision is passed
    along to another modules. This option is a work-around for insufficient
    authentication scheme in Apache (Apache 2.1 seems to provide better support
    for multiple various authentication mechanisms).

    The trick is that for this to work properly, mod_auth_kerb needs to go
    first and then the other authentication module needs to follow
    afterwards in the processing stack. That's something that modules can
    control in their own C code to some extent, but I don't know how you'd
    control this from outside without making code modifications.

    There is in theory a reworking of this in Apache 2.2, but I've been
    completely unable to find any documentation for the changes outside of the
    tantalizing hint in the Apache 2.2 release notes:

    Authn/Authz
    The bundled authentication and authorization modules have been renamed
    along the following lines:

    * mod_auth_* -> Modules that implement an HTTP authentication mechanism
    * mod_authn_* -> Modules that provide a backend authentication provider
    * mod_authz_* -> Modules that implement authorization (or access)
    * mod_authnz_*-> Module that implements both authentication & authorization

    There is a new authentication backend provider scheme which greatly
    eases the construction of new authentication backends.

    If anyone knows where this is all fully documented, I'd love to hear it.

    --
    Russ Allbery (rra@stanford.edu)

  3. Re: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

    On Thu, 5 Oct 2006 08:03:51 +0200
    "Djihangiroff, Matthias (KC-DD)" wrote:

    > Hello,
    >
    > Anyone out there whos running an Apache with mod_auth_kerb and
    > mod_auth_ldap?
    > Im running an Apache with mod_auth_kerb perfectly.
    >
    > But we have users, which arent in our Windows AD, so they cant load the
    > websites protected through mod_auth_kerb.
    > Is it possible to fall back to mod_auth_ldap, so they can manualy type
    > in their login? (The Apache than check the user against the LDAP).


    I don't know the answer to this (my understanding is that trying to
    stack mod_auth_* modules together is not practical) but I just want to
    point out that you can use krb5_get_init_creds_password to do Basic so
    there's no reason to use LDAP at all. In fact using LDAP as a make-shift
    authentication service is crude and insecure. Wether or not mod_auth_kerb
    can do it I have no idea.

    Mike

    --
    Michael B Allen
    PHP Active Directory SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

    Michael B Allen writes:
    > "Djihangiroff, Matthias (KC-DD)" wrote:


    >> Anyone out there whos running an Apache with mod_auth_kerb and
    >> mod_auth_ldap?
    >> Im running an Apache with mod_auth_kerb perfectly.


    >> But we have users, which arent in our Windows AD, so they cant load the
    >> websites protected through mod_auth_kerb.
    >> Is it possible to fall back to mod_auth_ldap, so they can manualy type
    >> in their login? (The Apache than check the user against the LDAP).


    > I don't know the answer to this (my understanding is that trying to
    > stack mod_auth_* modules together is not practical) but I just want to
    > point out that you can use krb5_get_init_creds_password to do Basic so
    > there's no reason to use LDAP at all. In fact using LDAP as a make-shift
    > authentication service is crude and insecure. Wether or not mod_auth_kerb
    > can do it I have no idea.


    mod_auth_kerb can (via BasicAuth), but you need to have the passwords in
    some Kerberos database. It doesn't help if they're only in LDAP.

    --
    Russ Allbery (rra@stanford.edu)

  5. Re: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

    On Thu, 05 Oct 2006 10:13:53 -0700
    Russ Allbery wrote:

    > Michael B Allen writes:
    > > "Djihangiroff, Matthias (KC-DD)" wrote:

    >
    > >> Anyone out there whos running an Apache with mod_auth_kerb and
    > >> mod_auth_ldap?
    > >> Im running an Apache with mod_auth_kerb perfectly.

    >
    > >> But we have users, which arent in our Windows AD, so they cant load the
    > >> websites protected through mod_auth_kerb.
    > >> Is it possible to fall back to mod_auth_ldap, so they can manualy type
    > >> in their login? (The Apache than check the user against the LDAP).

    >
    > > I don't know the answer to this (my understanding is that trying to
    > > stack mod_auth_* modules together is not practical) but I just want to
    > > point out that you can use krb5_get_init_creds_password to do Basic so
    > > there's no reason to use LDAP at all. In fact using LDAP as a make-shift
    > > authentication service is crude and insecure. Wether or not mod_auth_kerb
    > > can do it I have no idea.

    >
    > mod_auth_kerb can (via BasicAuth), but you need to have the passwords in
    > some Kerberos database. It doesn't help if they're only in LDAP.


    I'm a little confused by this statement. If mod_auth_kerb uses
    krb5_get_init_creds_password it shouldn't care where passwords are. Also,
    AD is a "Kerberos database" and does not store passwords in the DIT
    (actually it doesn't store passwords at all AFAIK, only keys).

    Mike

    --
    Michael B Allen
    PHP Active Directory SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

    Michael B Allen writes:
    > Russ Allbery wrote:


    >> mod_auth_kerb can (via BasicAuth), but you need to have the passwords
    >> in some Kerberos database. It doesn't help if they're only in LDAP.


    > I'm a little confused by this statement. If mod_auth_kerb uses
    > krb5_get_init_creds_password it shouldn't care where passwords are.


    It only does Kerberos authentication. If the passwords are stored as
    encrypted hashes in an LDAP directory server (which is what people
    normally mean when they talk about "LDAP authentication"), it doesn't
    help.

    > Also, AD is a "Kerberos database" and does not store passwords in the
    > DIT (actually it doesn't store passwords at all AFAIK, only keys).


    Yes, the original question was how to handle authentication of the users
    at that site who *aren't* in AD. The original poster wasn't completely
    clear on where the passwords *are* stored, but based on the question, I
    presume they're encrypted hashes in LDAP.

    You're correct and I was sloppy in my wording -- normally, Kerberos KDCs
    only store keys, not passwords.

    --
    Russ Allbery (rra@stanford.edu)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

    On Thu, 05 Oct 2006 11:10:27 -0700
    Russ Allbery wrote:

    > Michael B Allen writes:
    > > Russ Allbery wrote:

    >
    > >> mod_auth_kerb can (via BasicAuth), but you need to have the passwords
    > >> in some Kerberos database. It doesn't help if they're only in LDAP.

    >
    > > I'm a little confused by this statement. If mod_auth_kerb uses
    > > krb5_get_init_creds_password it shouldn't care where passwords are.

    >
    > It only does Kerberos authentication. If the passwords are stored as
    > encrypted hashes in an LDAP directory server (which is what people
    > normally mean when they talk about "LDAP authentication"), it doesn't
    > help.


    Actually I think mod_auth_ldap just uses ldap_bind functions to
    "authenticate" so the passwords "stored as encrypted hashes" part still
    confuses me a little.

    But you're right. I see now that the OP was asking about Basic for users
    NOT in AD so it doesn't sound like he would be able to use mod_auth_kerb.

    Mike

    --
    Michael B Allen
    PHP Active Directory SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. Re: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

    Michael B Allen writes:
    > Russ Allbery wrote:


    >> It only does Kerberos authentication. If the passwords are stored as
    >> encrypted hashes in an LDAP directory server (which is what people
    >> normally mean when they talk about "LDAP authentication"), it doesn't
    >> help.


    > Actually I think mod_auth_ldap just uses ldap_bind functions to
    > "authenticate" so the passwords "stored as encrypted hashes" part still
    > confuses me a little.


    The typical LDAP server can usually authenticate users in several
    different ways, from GSSAPI via SASL to doing callouts behind the scenes
    to verify a provided password against Kerberos. Far and away the most
    common way of using an LDAP server to do authentication, however, is to
    store an MD5 or similar hash of the password in an attribute and then
    having the server compare hashes when the user tries to bind. I usually
    assume that method is what people are talking about when they say that
    they want to authenticate against LDAP, since people who have set up other
    things usually know to use more specific terminology.

    --
    Russ Allbery (rra@stanford.edu)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  9. Re: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

    I had this problem a few days ago. Divide up your clients by IP Range.
    Put your Kerberized clients on one subnet, non-Kerberized clients on
    another subnet.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread