You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Assarsson, Emil" <Em...@sonyericsson.com> on 2010/10/20 12:27:52 UTC
[users@httpd] mod_authnz_ldap with kerberos?
Hi all,
I use mod_authnz_ldap today with simple ldap bind.
Our security team wants me to use to use Kerberos instead to make it more secure.
This will allow them to specify from where the service account can login and will also protect the credentials from eavesdropping.
Is it possible to make mod_authnz_ldap to use a keytab instead?
Or do anyone have a suggestion how to solve this in a even better way?
Best regards
Emil Assarsson
Sony Ericsson Mobile Communications AB
"The information in this email, and attachment(s) thereto, is strictly confidential and may be legally privileged. It is intended solely for the named recipient(s), and access to this e-mail, or any attachment(s) thereto, by anyone else is unauthorized. Violations hereof may result in legal actions. Any attachment(s) to this e-mail has been checked for viruses, but please rely on your own virus-checker and procedures. If you contact us by e-mail, we will store your name and address to facilitate communications in the matter concerned. If you do not consent to us storing your name and address for above stated purpose, please notify the sender promptly. Also, if you are not the intended recipient please inform the sender by replying to this transmission, and delete the e-mail, its attachment(s), and any copies of it without, disclosing it."
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] mod_authnz_ldap with kerberos?
Posted by Brett Delle Grazie <br...@intact-is.com>.
Hi,
On Thu, 2010-10-21 at 08:51 +0200, Assarsson, Emil wrote:
> >> I use mod_authnz_ldap today with simple ldap bind.
> >> Our security team wants me to use to use Kerberos instead to make it more secure.
> >> This will allow them to specify from where the service account can login and will also protect the credentials from eavesdropping.
> >> Is it possible to make mod_authnz_ldap to use a keytab instead?
> >> Or do anyone have a suggestion how to solve this in a even better way?
> > mod_auth_kerb: http://modauthkerb.sourceforge.net/
> > Complex but does work, even with Active Directory.
>
> I am using mod_auth_kerb today to do the accual authentication. I only use mod_authnz_ldap to do the authorization based on AD security groups.
> What I need is better security for the ldap bind mod_authnz_ldap -> AD. Do you mean that I should be able to use the kinit done by mod_auth_kerb?
>
Ah sorry, I mis-understood your question. You mean you want to use
Kerberos credentials to communicate with the LDAP server (in this case,
an AD server)?
I haven't tried that, instead I've used a low-privilege user over SSL
(not TLS here) communicating with the global catalogue server - that
does work.
I think you would have to specify the user as a gssapi login (see
openldap for syntax) and specify an explicit credentials cache for
apache using the KRB5CC environment variable. But please bare in mind
I've never tried this and I don't know if its even possible let alone if
it would work.
Hope this helps.
>
> Best regards,
> Emil Assarsson
>
>
>
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
--
Best Regards,
Brett Delle Grazie
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] mod_authnz_ldap with kerberos?
Posted by "Assarsson, Emil" <Em...@sonyericsson.com>.
>> I use mod_authnz_ldap today with simple ldap bind.
>> Our security team wants me to use to use Kerberos instead to make it more secure.
>> This will allow them to specify from where the service account can login and will also protect the credentials from eavesdropping.
>> Is it possible to make mod_authnz_ldap to use a keytab instead?
>> Or do anyone have a suggestion how to solve this in a even better way?
> mod_auth_kerb: http://modauthkerb.sourceforge.net/
> Complex but does work, even with Active Directory.
I am using mod_auth_kerb today to do the accual authentication. I only use mod_authnz_ldap to do the authorization based on AD security groups.
What I need is better security for the ldap bind mod_authnz_ldap -> AD. Do you mean that I should be able to use the kinit done by mod_auth_kerb?
Best regards,
Emil Assarsson
Re: [users@httpd] mod_authnz_ldap with kerberos?
Posted by Brett Delle Grazie <br...@intact-is.com>.
Hi,
On Wed, 2010-10-20 at 12:27 +0200, Assarsson, Emil wrote:
> Hi all,
>
> I use mod_authnz_ldap today with simple ldap bind.
> Our security team wants me to use to use Kerberos instead to make it more secure.
> This will allow them to specify from where the service account can login and will also protect the credentials from eavesdropping.
>
> Is it possible to make mod_authnz_ldap to use a keytab instead?
> Or do anyone have a suggestion how to solve this in a even better way?
mod_auth_kerb: http://modauthkerb.sourceforge.net/
Complex but does work, even with Active Directory.
>
> Best regards
>
> Emil Assarsson
> Sony Ericsson Mobile Communications AB
>
> "The information in this email, and attachment(s) thereto, is strictly confidential and may be legally privileged. It is intended solely for the named recipient(s), and access to this e-mail, or any attachment(s) thereto, by anyone else is unauthorized. Violations hereof may result in legal actions. Any attachment(s) to this e-mail has been checked for viruses, but please rely on your own virus-checker and procedures. If you contact us by e-mail, we will store your name and address to facilitate communications in the matter concerned. If you do not consent to us storing your name and address for above stated purpose, please notify the sender promptly. Also, if you are not the intended recipient please inform the sender by replying to this transmission, and delete the e-mail, its attachment(s), and any copies of it without, disclosing it."
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
--
Best Regards,
Brett Delle Grazie
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org