w.hanegraaff at openoffice
Mar 16, 2011, 10:35 AM
Views: 121
Permalink
|
|
kerberos user authentication
|
|
Hi all,
I've been having some fun with Davical. I was looking for a way to
autoconfigure caldav scheduling in thunderbird lightning with single
signon. Since I already had user accounts in LDAP, authentication in
kerberos, the preferred way was to use kerberos and LDAP in Davical as well.
Luckily, after adding kerberos authentication in apache, and adding
'i_use_mode_kerberos' => 'i_know_what_i_am_doing',
to the authenticate_hook['config array'], it *almost* works (using the
latest debian packages, version 0.9.9.4-1).
The issue that remains is the following. The username returned by apache
in the REMOTE_USER header is the kerberos principal, something like
username at EXAMPLE.COM. However, my ldap configuration uses only the part
before the @ sign as the uid.
As a result, searching in ldap for the value of the REMOTE_USER header
in ldap yields zero results in my case. To fix this, I'm now using the
following in my config file:
$c->authenticate_hook['call'] = 'LDAP_KRB_check';
function LDAP_KRB_check($username, $password ){
$_SERVER["REMOTE_USER"] = preg_replace( "/@EXAMPLE.COM$/" ,
"", $_SERVER["REMOTE_USER"]);
return LDAP_check( preg_replace( "/@EXAMPLE.COM$/" ,
"", $username), $password);
}
This works, but is not so pretty.
Are any of you using kerberos/ldap in davical, and how do you deal with
this situation?
Regards,
Wouter
|
kerberos user authentication
