Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: DAViCal: General

kerberos user authentication

 

 

DAViCal general RSS feed   Index | Next | Previous | View Threaded


w.hanegraaff at openoffice

Mar 16, 2011, 10:35 AM

Post #1 of 2 (221 views)
Permalink
kerberos user authentication

Hi all,

I've been having some fun with Davical. I was looking for a way to
autoconfigure caldav scheduling in thunderbird lightning with single
signon. Since I already had user accounts in LDAP, authentication in
kerberos, the preferred way was to use kerberos and LDAP in Davical as well.

Luckily, after adding kerberos authentication in apache, and adding

'i_use_mode_kerberos' => 'i_know_what_i_am_doing',

to the authenticate_hook['config array'], it *almost* works (using the
latest debian packages, version 0.9.9.4-1).

The issue that remains is the following. The username returned by apache
in the REMOTE_USER header is the kerberos principal, something like
username at EXAMPLE.COM. However, my ldap configuration uses only the part
before the @ sign as the uid.

As a result, searching in ldap for the value of the REMOTE_USER header
in ldap yields zero results in my case. To fix this, I'm now using the
following in my config file:

$c->authenticate_hook['call'] = 'LDAP_KRB_check';

function LDAP_KRB_check($username, $password ){
$_SERVER["REMOTE_USER"] = preg_replace( "/@EXAMPLE.COM$/" ,
"", $_SERVER["REMOTE_USER"]);
return LDAP_check( preg_replace( "/@EXAMPLE.COM$/" ,
"", $username), $password);
}

This works, but is not so pretty.

Are any of you using kerberos/ldap in davical, and how do you deal with
this situation?

Regards,

Wouter


benp at reed

Mar 16, 2011, 10:58 AM

Post #2 of 2 (223 views)
Permalink
kerberos user authentication [In reply to]

* Wouter Hanegraaff <w.hanegraaff at openoffice.nl> [20110316 10:50]:
> Hi all,
>
> I've been having some fun with Davical. I was looking for a way to
> autoconfigure caldav scheduling in thunderbird lightning with single
> signon. Since I already had user accounts in LDAP, authentication in
> kerberos, the preferred way was to use kerberos and LDAP in Davical as well.
>
> Luckily, after adding kerberos authentication in apache, and adding
>
> 'i_use_mode_kerberos' => 'i_know_what_i_am_doing',
>
> to the authenticate_hook['config array'], it *almost* works (using the
> latest debian packages, version 0.9.9.4-1).
>
> The issue that remains is the following. The username returned by apache
> in the REMOTE_USER header is the kerberos principal, something like
> username at EXAMPLE.COM. However, my ldap configuration uses only the part
> before the @ sign as the uid.
>
> As a result, searching in ldap for the value of the REMOTE_USER header
> in ldap yields zero results in my case. To fix this, I'm now using the
> following in my config file:
>
> $c->authenticate_hook['call'] = 'LDAP_KRB_check';
>
> function LDAP_KRB_check($username, $password ){
> $_SERVER["REMOTE_USER"] = preg_replace( "/@EXAMPLE.COM$/" ,
> "", $_SERVER["REMOTE_USER"]);
> return LDAP_check( preg_replace( "/@EXAMPLE.COM$/" ,
> "", $username), $password);
> }
>
> This works, but is not so pretty.
>
> Are any of you using kerberos/ldap in davical, and how do you deal with
> this situation?
>
> Regards,
>
> Wouter

The version of mod_auth_kerb that comes with Debian Squeeze (5.4-1)
offers this option:

KrbLocalUserMapping on

Using this option would likely resolve your issue.

Ben

--
________________________________________________________________________
PGP (318B6A97): 3F23 EBC8 B73E 92B7 0A67 705A 8219 DCF0 318B 6A97
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <http://lists.davical.org/pipermail/davical-users/attachments/20110316/b2be58cb/attachment.pgp>
-------------- next part --------------

DAViCal general RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.