Ok, I'm going to try the Kerberos way. It may take me a bit - I gotta find something to eat here :) I already have mod_auth_kerb showing up on my phpinfo(), so that's one thing down w00t<br><br clear="all">Tim Champion<br>
<a href="mailto:timchampion@gmail.com">timchampion@gmail.com</a><br>
<br><br><div class="gmail_quote">On Thu, Dec 2, 2010 at 1:30 PM, Jeffrey Ollie <span dir="ltr"><<a href="mailto:jeff@ocjtech.us">jeff@ocjtech.us</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">On Thu, Dec 2, 2010 at 1:21 PM, Christopher R. Rhodes<br>
<<a href="mailto:arreyder@apache.org">arreyder@apache.org</a>> wrote:<br>
><br>
>> Chris - You mentioned Kerberos authentication. Correct me if I'm<br>
>> wrong, but from what you described, it looks like you would have to<br>
>> export that keytab file every time a user changes. The goal I'm trying<br>
>> to reach here is if a user is terminated on the PDC, that user would<br>
>> immediatly lose access to the directory in question on the web server.<br>
>> I don't want a process to export a file. Maybe that's not what you are<br>
>> suggesting, and if not, please correct me.<br>
>><br>
><br>
> Nope, the user you create and it's keytab is just to represent/identify the service. You can disable logins for it. It<br>
> should never change. Any AD user in the correct group will be able to auth against that service. It's not really a<br>
> "real" user it's more of a service account. It works wonderfully. I've been using it for years in a very big way to<br>
> provide SSO for windows users to some of our internal applications.<br>
><br>
><br>
> They AD keytab business looks something like this:<br>
><br>
> ktpass -princ HTTP/<a href="http://fqdn-of-webserver.domain.com" target="_blank">fqdn-of-webserver.domain.com</a>@SOME><a href="http://REALM.COM" target="_blank">REALM.COM</a><br>
> -mapuser apache-kerberos-user -crypto rc4-hmac-nt<br>
> -ptype KRB5_NT_SRV_HST -pass SECRET_PASSWORD_GOES_HERE<br>
> -out c:\apache.keytab<br>
<br>
</div>+1 on the Kerberos authentication. It works great for me at work and<br>
if you're using IE as the browser you won't even have to enter a<br>
username/password.<br>
<br>
The only issue that I have had is that I needed to make sure that my<br>
Kerberos service principal used the fully qualified hostname of the<br>
server rather than whatever hostname the web site was using (which<br>
could be different depending on if you are using virtual hosts). The<br>
only other thing that Kerberos authentication won't do for you is to<br>
limit access to groups of AD users.<br>
<font color="#888888"><br>
--<br>
Jeff Ollie<br>
</font><div><div></div><div class="h5">_______________________________________________<br>
Cialug mailing list<br>
<a href="mailto:Cialug@cialug.org">Cialug@cialug.org</a><br>
<a href="http://cialug.org/mailman/listinfo/cialug" target="_blank">http://cialug.org/mailman/listinfo/cialug</a><br>
</div></div></blockquote></div><br>