On Thu, 05 Oct 2006 10:13:53 -0700 Russ Allbery <[EMAIL PROTECTED]> wrote:
> Michael B Allen <[EMAIL PROTECTED]> writes: > > "Djihangiroff, Matthias (KC-DD)" <[EMAIL PROTECTED]> wrote: > > >> Anyone out there whos running an Apache with mod_auth_kerb and > >> mod_auth_ldap? > >> Im running an Apache with mod_auth_kerb perfectly. > > >> But we have users, which arent in our Windows AD, so they cant load the > >> websites protected through mod_auth_kerb. > >> Is it possible to fall back to mod_auth_ldap, so they can manualy type > >> in their login? (The Apache than check the user against the LDAP). > > > I don't know the answer to this (my understanding is that trying to > > stack mod_auth_* modules together is not practical) but I just want to > > point out that you can use krb5_get_init_creds_password to do Basic so > > there's no reason to use LDAP at all. In fact using LDAP as a make-shift > > authentication service is crude and insecure. Wether or not mod_auth_kerb > > can do it I have no idea. > > mod_auth_kerb can (via BasicAuth), but you need to have the passwords in > some Kerberos database. It doesn't help if they're only in LDAP. I'm a little confused by this statement. If mod_auth_kerb uses krb5_get_init_creds_password it shouldn't care where passwords are. Also, AD is a "Kerberos database" and does not store passwords in the DIT (actually it doesn't store passwords at all AFAIK, only keys). Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
