John Szakmeister wrote:
>On Tuesday 09 August 2005 06:28, Branko Čibej wrote:
>>John Szakmeister wrote:
>>>On Monday 08 August 2005 20:39, Samay wrote:
>>>>actually REALM is important if
>>>>a) one is authenticating agaisnt multiple AD domains. One need to know
>>>>user@REALM1 is different from user@REALM2.
>>>>b) specific to AD, user@REALM is the real user ID on AD, hence makes it
>>>>easy to implement access control on Apache, etc.
>>>>c) if AD is configured properly, then user@REALM also is the email
>>>But you also lose out on groups with mod_auth_kerb. Kerberos has no
>>>concept of groups. :-(
>>Ah, but groups are an authorization concept, not an authentication
>>concept. I've got a setup that uses mod_auth_kerb for authentication,
>>and an ordinary mod_auth group file for group access control. With AD,
>>you can also use ldap for the group filter.
>Yeah, I know. :-) You were able to get mod_auth_kerb to run with something
>else? My attempts were unsuccessful (w/Apache 2.0.46, when I tried it). To
>be specific I was trying to use mod_auth_kerb for authentication, and looking
>for a way to use mod_auth_ldap to help with the group part, but I had no such
>luck. I could never get the two to play well together.
Try AuthLdapAuthoritative off if you want to use ldap just for the group
assignments and let authn be handled by kerberos.
(In my case I use AuthAuthoritative off, and add an AuthGroupFile directive)
To unsubscribe, e-mail: firstname.lastname@example.org
For additional commands, e-mail: email@example.com
Received on Tue Aug 9 12:59:31 2005