Hi On 8 February 2011 22:17, Brian Candler <[email protected]> wrote:
> KrbMethodK5Passwd On > > will fallback to basic auth, and then check the username/password against > the KDC. Not quite. It does fall back to basic ; but not to the basic provided by mod_authz_ldap or any other authz_xxx for that matter; KrbMethodK5Passwd handles it all and as you configured apache with AuthType kerberos ; none of the remaining mod_auth_xx works because those expect apache to be in mode AuthType basic. In the flow of apache module; when mod_auth_kerb isn't authoritative it will only call other authentication module compatible with the AuthType of the module on top of the stack : here mod_auth_kerb. So apache does something like: mod_auth_kerb -> basic ; got authentication going. Then it tries to check what other authorisation/authentication modules are available with AuthType kerberos as apache can not mix authentication type (I read that the next version of apache would have a work around for this, but it's been years since they talked about it) make sense? What I wanted here is : use kerberos for authentication ; if authentication works -> authz_ldap if kerberos failed: continue to auth_ldap -> authz_ldap This provides far greater flexibility and let me handle both full kerberos authentication ; or for users with no kerberos at all, it falls back to plain ldap authentication with the flexibility that comes with it. My mods are for apache 2.2 ; mod_auth_ldap was completely rewritten unfortunately in 2.2 and it is very different with earlier version of apache which had two distincts ldap modules: one for authentication, one for authorisation ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
