[pubcookie-users] migrating to pubcookie from mod_ntlm

Bradley Schwoerer schwoerb at doit.wisc.edu
Fri Jun 8 12:21:27 PDT 2007 

We are toying with the idea of doing this.  There is one main question that
this touches on for us though.  The portal requests re-authentication; how
do we handle this, e.g., do we force reverting to ldap authentication?

Something I found encouraging was that safari, and firefox work on the Mac,
and ie and firefox work on Win XP.

I compiled mod_auth_kerb-5.3 with the following config statement
"./configure --with-apache=/usr/local/webiso/apache --with-krb4=no
--with-krb5=/usr/kerberos"

The actual module I configured like this in apache:
        AuthType KerberosV5
        require valid-user
        KrbMethodNegotiate on
        KrbMethodK5Passwd off
        KrbAuthoritative on
        KrbAuthRealms LOGINTEST.WISC.EDU
        KrbServiceName HTTP
        Krb5Keytab /location/to/http.keytab

       ErrorDocument 401 /login
 
/login is another URI we have mapped to the index.cgi.  I found in the
limited testing I did that if a user had a token they would authN to the
apache location.  If not, the " ErrorDocument 401 /login" would redirect
them to the traditional login form.

The part I do not have hooked up yet is the actual module authentication in
front of pubcookie. This should be easy though, since I had a similar setup
for certs as the authentication in front of pubcookie using the flavor_trust
that I had posted a while ago.


-Bradley


On 6/7/07 5:32 PM, "Nathan Dors" <dors at cac.washington.edu> wrote:

> This isn't supported in the current software, but the concept has
> come up and it should be possible by adding SPNEGO support to the
> login cgi. No one AFAIK has done that yet.
> 
> -Nathan
> 
> 
> On Wed, 6 Jun 2007, Kevin Karwaski wrote:
> 
>> Hi,
>> 
>> I am trying to transition my company to a secure SSO system. We are
>> currently using mod_ntlm to pass workstation credentials to active
>> directory. This is not an ideal approach.
>> 
>> Is it possible to pass windows workstation logon credentials to a
>> pubcookie logon server? Is there a way to tell pubcookie that a valid,
>> existing authenticated session (my workstation logon) exists? This would
>> make for a seamless transition to pubcookie. Perhaps I'm unclear on
>> pubcookie's abilities but I have not been able to verify weather or not
>> this is possible.
>> 
>> Any info would be greatly appreciated!
>> 
>> -Kevin
>> 
>> 
>> 
>> _______________________________________________
>> pubcookie-users mailing list
>> pubcookie-users at u.washington.edu
>> http://mailman1.u.washington.edu/mailman/listinfo/pubcookie-users
>> 
> _______________________________________________
> pubcookie-users mailing list
> pubcookie-users at u.washington.edu
> http://mailman1.u.washington.edu/mailman/listinfo/pubcookie-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2053 bytes
Desc: not available
Url : http://mailman1.u.washington.edu/pipermail/pubcookie-users/attachments/20070608/560b720c/smime.bin

More information about the pubcookie-users mailing list