RE: mod_authnz_ldap with kerberos?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

On Thu, 2010-10-21 at 08:51 +0200, Assarsson, Emil wrote:
> >> I use mod_authnz_ldap today with simple ldap bind.
> >> Our security team wants me to use to use Kerberos instead to make it more secure.
> >> This will allow them to specify from where the service account can login and will also protect the credentials from eavesdropping.
> >> Is it possible to make mod_authnz_ldap to use a keytab instead? 
> >> Or do anyone have a suggestion how to solve this in a even better way?
> > mod_auth_kerb: http://modauthkerb.sourceforge.net/
> > Complex but does work, even with Active Directory.
> 
> I am using mod_auth_kerb today to do the accual authentication. I only use mod_authnz_ldap to do the authorization based on AD security groups.
> What I need is better security for the ldap bind mod_authnz_ldap -> AD. Do you mean that I should be able to use the kinit done by mod_auth_kerb?
> 
Ah sorry, I mis-understood your question. You mean you want to use
Kerberos credentials to communicate with the LDAP server (in this case,
an AD server)?

I haven't tried that, instead I've used a low-privilege user over SSL
(not TLS here) communicating with the global catalogue server - that
does work.

I think you would have to specify the user as a gssapi login (see
openldap for syntax) and specify an explicit credentials cache for
apache using the KRB5CC environment variable. But please bare in mind
I've never tried this and I don't know if its even possible let alone if
it would work.

Hope this helps.

> 
> Best regards,
> Emil Assarsson 
> 
> 
> 
> 
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________

-- 
Best Regards,

Brett Delle Grazie

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux