Actually, since you say >>Anyway, take into account that both fallbacks require a secure server, >>which is not the case for credential based authentication.
you mean that I would need to have some local storage (on my Linux box) of all user ids or some sort of synchronization with Active Directory? (... or have I misunderstood?). There are more than 50,000 users ... Thanks again kerbie_newbie wrote: > > Thanks for the responses ... still a little confused though. In another > thread I've read > > " > Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap > > ... > > At least in Apache 2.0, it is extremely difficult in Apache to get two > authentication modules to co-exist; Apache by and large considers any > particular portion of the URL space to be protected by only one > authentication scheme (possibly combined with IP address restrictions). > This is partly a limitation of Apache (particularly the configuration > syntax) and partly related to difficulties in the HTTP protocol (you can't > easily negotiate and attempt multiple authentication protocols in turn). > > However, that being said, mod_auth_kerb does support: > > KrbDelegateBasic on | off (set to off by default) > If set to 'on' this options causes that Basic authentication is always > offered regardless setting the KrbMethodK[45]Pass directives. Then, if > a Basic authentication header arrives authentication decision is passed > along to another modules. This option is a work-around for insufficient > authentication scheme in Apache (Apache 2.1 seems to provide better > support > for multiple various authentication mechanisms). > > The trick is that for this to work properly, mod_auth_kerb needs to go > first and then the other authentication module needs to follow > afterwards in the processing stack. That's something that modules can > control in their own C code to some extent, but I don't know how you'd > control this from outside without making code modifications." > > ... > " > > Also, my server is not secure so Basic Authentication (which by my > reckoning does not authenticate against AD) is not an option. > > Thanks again. > > > Javier Palacios-2 wrote: >> >> On Tue, Apr 7, 2009 at 5:50 PM, Dax Kelson <[email protected]> wrote: >>> On Mon, 2009-04-06 at 11:47 -0700, kerbie_newbie wrote: >>> >>>> As far as I can tell, when using mod_auth_kerb and selecting kerberos >>>> as the >>>> authtype it is pretty much Kerberos or nothing ... is this correct? I >>>> can >>>> see no way to intercept the failure. >>> >>> This not correct. What you want are these two directives: >>> >>> KrbMethodNegotiate On >>> KrbMethodK5Passwd On >> >> If I remember right, there is a directive called something like >> authoritative. >> I did never use it but it is used to pass authentication to other >> modules (again, if I remember well). >> That is exactly what you need so instead of enabling password >> authentication, you need to stack the ldap authentication also, and >> let proceed if negotiate fails. >> >> Anyway, take into account that both fallbacks require a secure server, >> which is not the case for credential based authentication. >> >> Javier Palacios >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > > -- View this message in context: http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p22938708.html Sent from the Kerberos - General mailing list archive at Nabble.com. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
