On Wed, Feb 23, 2011 at 9:04 AM, Michael Brown <[email protected]>wrote:
> On Wednesday 23 Feb 2011 15:38:44 john s. wrote:
> > I have an Comprehensive Question about SSO in Relation to LDAP
> >
> > Is it possible with LDAP to get Access on an sso client with an Computer
> in
> > a Network ( e.g RT) by start the Computer with an network windows logon
> > ..........?
> >
> > Or i have to do this with ntlm?
>
> You can use Kerberos to do this. From memory, you need to make sure that
> DNS
> is working perfectly (including reverse lookups), and you will need to
> ensure
> that the browser is prepared to use Kerberos to authenticate against your
> RT
> server. For IE, this means designating the RT server as part of the
> "Intranet" zone; for Firefox you can use about:config and add the RT server
> to
> network.negotiate-auth.trusted-uris.
>
> On the server side, you want something like this in .htaccess:
>
> AuthType Kerberos
> AuthName "Kerberos Login"
> KrbMethodNegotiate On
> KrbMethodK5Passwd Off
> KrbAuthRealms <insert your Kerberos realm here>
> Krb5KeyTab /etc/httpd/conf/keytab
> Require valid-user
>
You may also need to set AllowOverride in your Apache config to allow some
of these directives to be placed in .htaccess--some configurations have this
set to "none" by default.
* http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride
