Re: Kerberos experiences? [message #166474 is a reply to message #166333] |
Sun, 18 December 2011 01:45 |
|
ShineOn
Messages: 53 Registered: July 2011
Karma:
|
Member |
|
|
max wrote on Wed, 16 November 2011 12:29I was wondering if anybody has any experience getting FUDForum to authenticate users via Kerberos? A preliminary search didn't turn up much on the forum or on the wiki.
I am open to rolling my own plugin of some sort -- my particular use case involves Kerberos authentication against an LDAP (Active Directory) user database -- but I was wondering first if anybody has already looked at Kerberos integration, or has any thoughts on how easy/hard it would be to implement.
Apparently there is an old phpBB plugin (now unmaintained) for single sign-on via Kerberos/LDAP (http://phpbb.com/community/viewtopic.php?f=70&t=1620325&p=9732515) -- that might be a reasonable place to start, as far as how to implement (ignoring all the phpBB-specific bits). Are you looking to authenticate users against AD, or are you looking for SSO capability, such that AD-authenticated users would automagically be authenticated to FUD using their logged-in identities?
Kerberizing a web application isn't all that simple. LDAP auth is relatively easy, but for the web app to do kerberos authentication it has to be able to talk to the KDC, so it needs to know the realm and has to be able to find the KDC. It needs a user ID in the realm that it can handle whatever Kerberos needs for the type of authentication you want to do, whether it's checking to see if a logged-in user has a valid ticket or it's obtaining a TGT so it can grant an auth ticket to the user.
If you're using Linux on the server side, there may be PAM modules that will help. You may need to use nsswitch. If you're using Apache, there is a kerberos authentication module that you might be able to leverage.
There are a lot of resources out there for how to kerberize a web site. Google is your friend. The trick is to find instructions that specifically speak to using MS Active Directory as the Kerberos KDC and LDAP server. Many will discuss using OpenLDAP and Heimdal or MIT Kerberos 5.
[Updated on: Sun, 18 December 2011 01:59] Report message to a moderator
|
|
|