Hi, I'm pretty new to this so please excuse any confusion that creeps in ...
I'm hosting a perl based web service on a Linux/Apache box that is accessed by Windows workstations. I have Kerberos 5 (MIT) wrapping a particular perl cgi script and all works fine for users who have an Active Directory account. I have recently come across a user who, for some reason, had an expired TGT ticket on his PC. I'm not sure how this happens as it looks to me like every time you logon/logoff or lock/unlock your Windows PC, your tickets are managed for you so you always have a valid TGT. As he is on a business PC, I'm not sure how this happens ... anyways. What I have been told is that all other systems in the business (that are all hosted on Windows based servers) will automatically fail over to some forms based or ldap authentication/ADAM if the initial Kerberos authentication fails. I have been asked to do the same and provide a means for non-AD and expired AD/TGT holder users to authenticate against ADAM. As far as I can tell, when using mod_auth_kerb and selecting kerberos as the authtype it is pretty much Kerberos or nothing ... is this correct? I can see no way to intercept the failure. I think what would be needed is to combine the modules so that Kerberos is tried first and then maybe something like mod_auth_ldap. I have googled this to death and cannot see a standard way of doing it (and I'm not touching the internal Kerberos module code as suggested on one site!!). I have been told I *must* get this working. What can I do or is there a 'simple' explanation I can give as to why I cannot do it. Thanks in advance, kerbie_newbie -- View this message in context: http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p22914739.html Sent from the Kerberos - General mailing list archive at Nabble.com. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
