John Szakmeister wrote:
>On Tuesday 09 August 2005 06:28, Branko Čibej wrote:
>
>
>>John Szakmeister wrote:
>>
>>
>>>On Monday 08 August 2005 20:39, Samay wrote:
>>>[snip]
>>>
>>>
>>>
>>>>actually REALM is important if
>>>>a) one is authenticating agaisnt multiple AD domains. One need to know
>>>>user@REALM1 is different from user@REALM2.
>>>>b) specific to AD, user@REALM is the real user ID on AD, hence makes it
>>>>easy to implement access control on Apache, etc.
>>>>c) if AD is configured properly, then user@REALM also is the email
>>>>address.
>>>>
>>>>
>>>But you also lose out on groups with mod_auth_kerb. Kerberos has no
>>>concept of groups. :-(
>>>
>>>
>>Ah, but groups are an authorization concept, not an authentication
>>concept. I've got a setup that uses mod_auth_kerb for authentication,
>>and an ordinary mod_auth group file for group access control. With AD,
>>you can also use ldap for the group filter.
>>
>>
>
>Yeah, I know. :-) You were able to get mod_auth_kerb to run with something
>else? My attempts were unsuccessful (w/Apache 2.0.46, when I tried it). To
>be specific I was trying to use mod_auth_kerb for authentication, and looking
>for a way to use mod_auth_ldap to help with the group part, but I had no such
>luck. I could never get the two to play well together.
>
>
Try AuthLdapAuthoritative off if you want to use ldap just for the group
assignments and let authn be handled by kerberos.
(In my case I use AuthAuthoritative off, and add an AuthGroupFile directive)
-- Brane
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Aug 9 12:59:31 2005