Kerberos凭证未使用mod_auth_kerb / Apache2,Authen :: SASL / perl转发到openldap
[英]Kerberos credentials not forwarded to openldap using mod_auth_kerb/Apache2, Authen::SASL/perl
问题描述
I'm writing a web frontend to manage our company's OpenLDAP server. 
我正在写一个Web前端来管理我们公司的OpenLDAP服务器。 I'm using Perl, Apache2, OpenLDAP, Cyrus SASL. 我正在使用Perl,Apache2,OpenLDAP,Cyrus SASL。
The problem is, I cannot authenticate to OpenLDAP as Kerberos-verified user when using web interface, because my Kerberos credentials are not forwarded, and Apache error log says: 问题是,使用Web界面时,我无法通过Kerberos验证用户身份向OpenLDAP进行身份验证,因为我的Kerberos凭据未转发,并且Apache错误日志显示:
Credentials cache file '/tmp/krb5cc_33' not found
where "33" is the uidNumber for Apache. 其中“ 33”是Apache的uidNumber。 Which makes sense, but doesn't solve the problem. 这是有道理的,但不能解决问题。 Ironically, it all works from outside the realm, because then mod_auth_kerb asks for user name and password, authenticates, caches the tickets, and it all works. 具有讽刺意味的是,这一切都是在领域之外进行的,因为然后mod_auth_kerb询问用户名和密码,进行身份验证,将票证缓存起来,然后一切都可以进行。
I'm using mod_auth_kerb to authenticate to Apache2, and it works fine: password not prompted, protected page displayed to authenticated user (and rejected otherwise). 我正在使用mod_auth_kerb对Apache2进行身份验证,并且工作正常:未提示输入密码,向身份验证的用户显示受保护的页面(否则被拒绝)。 The relevant fragment of config: config的相关片段:
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms EXAMPLE.COM
Krb5Keytab /etc/apache2/HTTP.keytab
KrbServiceName HTTP
KrbSaveCredentials on
require valid-user
</Directory>
Kerberos/GSSAPI/SASL authentication works fine as well, so this code gives OK when run from command line: Kerberos / GSSAPI / SASL身份验证也可以正常工作,因此从命令行运行时,此代码可以确定:
1 #!perl
2 use strict;
3 use warnings;
4 use Net::LDAP;
5 use Authen::SASL;
6
7 my $l = Net::LDAP->new( 'ldap.example.com', onerror=>'die', );
8 my $sasl = Authen::SASL->new(mechanism=>'GSSAPI');
9 $l->bind( sasl=>$sasl );
10
11 print "OK\n";
So, what might be the solution? 那么,什么是解决方案?
1 个解决方案
解决方案1
0 2013-03-17 09:58:10
Web browsers do not forward Kerberos tickets by default. Web浏览器默认情况下不转发Kerberos票证。 (Thankfully! It would be a huge security issue, since the browser would just be handing out your tickets to any web site in your local realm that asked for them.) (非常感谢!这将是一个巨大的安全问题,因为浏览器只会将您的票证分发给您本地域中任何需要这些票证的网站。)
Unfortunately, getting the browser to do so requires some effort. 不幸的是,要使浏览器做到这一点需要付出一些努力。 For example, in Firefox, you have to go into about:config and customize network.negotiate-auth.delegation-uris to add the URLs to which you're willing to delegate tickets. 例如,在Firefox中,您必须进入about:config并自定义network.negotiate-auth.delegation-uris以添加愿意将票证委托给的URL。 (I think there's a similar procedure in IE to mark the web site as part of the trusted domain.) (我认为IE中有一个类似的过程将网站标记为受信任域的一部分。)
Unless you have a lot of control over the browser environment, this is usually a dead end. 除非您对浏览器环境有很多控制权,否则通常这是一个死胡同。 Most people just have the web application authenticate as itself (rather than as the user) and give it general read access. 大多数人只是让Web应用程序以其自身身份(而非用户身份)进行身份验证,并赋予其常规的读取访问权限。 Alternatively, you can use a more comprehensive site-wide web authentication system that supports credential delegation, but that may be overkill for your situation. 或者,您可以使用更全面的站点范围内的Web身份验证系统,该系统支持凭据委派,但是对于您的情况而言可能会显得过高。
Two implementations that do support this are: 支持此功能的两个实现是:
These both are client/server enterprise web authentication systems that require setting up some infrastructure. 这两个都是客户端/服务器企业Web身份验证系统,需要建立一些基础结构。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.