Re: Authenticating to LDAP using a HTTP ticket



Mikkel Kruse Johnsen wrote:
Hello,

I have a few more questions

[...]

To get the browsers to forward tickets you need to:

Firefox: Type "about:config" in the Location bar. Type "nego" in the
filter and dobbelt click "network.negotiate-auth.delegation-uris" and
"network.negotiate-auth.trusted-uris" and type in your domain name (in
my example I have "cbs.dk" in both)

IE: You need to change a regedit setting like this:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
\Domains\CBS.DK]
"KdcNames"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,2e,00,63,00,\
62,00,73,00,2e,00,64,00,6b,00,00,00,00,00
"RealmFlags"=dword:00000006

(KdcNames is your list of kerberos servers)

The above can also be done using the Microsoft ksetup:
C:\>ksetup /ListRealmFlags

Ksetup knows the following realm flags:
0x00 None No Realm Flags
0x01 SendAddress Include IP numbers within tickets.
Useful for solving SOME compatibility issues.
0x02 TcpSupported Indicates that this realm supports TCP.
(as opposed to just UDP)
0x04 Delegate Everyone in this realm is trusted for delegation
0x08 NcSupported This realm supports Name Canonicalization

But this then says IE and any SSPI applications that use Kerberos can
trust also delegate. This might not be what you want.
Microsoft checks the OK-AS-DELEGATE Kerberos ticket flag, that its KDC
will set for trusted servers. This is an advisory to the client to only
delegate to servers trusted for delegation by the domain admins.
Other versions of Kerberos are starting to add this feature to the
KDC and to the clients. So this whole area in in transition.


(http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/95141.mspx?mfr=true)

RealmFlags tells that it is OK to delegate for the domain "cbs.dk" (off
course change to your own domain)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\cbs.dk]
"*"=dword:00000001

This sets "cbs.dk" in trusted zone.



I also had a problem getting this to work and it turned out to be a
problem with "mod_auth_kerb" I had to recompile it, using it's internal
GSSAPI support and not MIT Kerberos under RHEL5
Don't know you setup, If it is not delegating then recompile with
internal GSSAPI support.

Or use these:

http://yum.cbs.dk/rhel-5Server-x86_64/RPMS/mod_auth_kerb-5.3-6.x86_64.rpm http://yum.cbs.dk/rhel-5Server-i386/RPMS/mod_auth_kerb-5.3-6.i386.rpm


I'm off for a week, so hope you can get it to work.


Now do this in PHP
if (!isset($_SERVER["KRB5CCNAME"])) {
return false;
}
putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);


I often get an error message telling me $_SERVER['KRB5CCNAME'] doesn't
exist (mostly after the first time I view something, disappears when
changing the file).



No sure what you mean.


$ds = @ldap_connect($this->LdapHost);
@ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) ==
false) {
return false
}
Med Venlig Hilsen / Kind Regards
Mikkel Kruse
Johnsen
Adm.Dir.
Linet
Ørholmgade 6 st
tv
Copenhagen N
2200 Denmark
Work: +45
21287793
Mobile: +45
21287793
Email:
mikkel@xxxxxxxx
IM:
mikkel@xxxxxxxx
(MSN)
Professional
Profile
Healthcare Network
Consultant lør, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne: > Hello,
> > I am in the process of creating a web panel to change LDAP attributes. The
> web panel is currently using mod_auth_kerb to authenticate, which is working
> beautifully. What we need is to authenticate to the LDAP server with that
> ticket. Is that even possible?
> > -Henrik
> ________________________________________________
> Kerberos mailing list Kerberos@xxxxxxx
> https://mailman.mit.edu/mailman/listinfo/kerberos

-Henrik



________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

--

Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
.

Relevant Pages

  • How many nodes in realm?
    ... I'm looking to implment Kerberos in our enviornment we have about 250 servers and are growing at an alarming rate, we plan to double this amount in about 2 years or so, I've been looking at documentation which talks about breaking servers into different realms, but i've also heard about huge kerberos deployments consisting of 5000+ nodes all in one realm, should I just design for all my servers to sit in one realm? ... We dont really have a need to kerberoize any applications we just plan to use it for a centralized authentication store and single signon. ...
    (comp.protocols.kerberos)
  • User delegation in Kerberos V5
    ... I am wondering if I can do the following in Kerberos. ... I am a user of some realm. ... How can I give access to Alice to some of the files stored on a ... Kerberos a user can delegate his/her token to another user. ...
    (comp.protocols.kerberos)
  • Re: User delegation in Kerberos V5
    ... I don't think you want to give Alice your credentials in this case. ... > I am wondering if I can do the following in Kerberos. ... > my realm nor is a user of any other Kerberos realm. ... > Kerberos a user can delegate his/her token to another user. ...
    (comp.protocols.kerberos)
  • Re: 4 part domain names
    ... I tend to use djbdns for DNS servers, ... These name servers delegate ... authority for zones within their zones to yet more name servers. ...
    (freebsd-questions)
  • Re: IMPACT of (Delegation Control of Group Policy) on Active Directory
    ... and that can be ANYTHING like client, servers and even DCs. ... I would not delegate ... directory that could result from delegating control of group policy ... who is only responsible for desktops and laptops (SUPPORT Engineer). ...
    (microsoft.public.windows.server.active_directory)
Loading