[Cialug] apache2 authentication with Windows PDC
Christopher R. Rhodes
arreyder at apache.org
Thu Dec 2 13:21:46 CST 2010
> Chris - You mentioned Kerberos authentication. Correct me if I'm
> wrong, but from what you described, it looks like you would have to
> export that keytab file every time a user changes. The goal I'm trying
> to reach here is if a user is terminated on the PDC, that user would
> immediatly lose access to the directory in question on the web server.
> I don't want a process to export a file. Maybe that's not what you are
> suggesting, and if not, please correct me.
>
Nope, the user you create and it's keytab is just to represent/identify the service. You can disable logins for it. It
should never change. Any AD user in the correct group will be able to auth against that service. It's not really a
"real" user it's more of a service account. It works wonderfully. I've been using it for years in a very big way to
provide SSO for windows users to some of our internal applications.
They AD keytab business looks something like this:
ktpass -princ HTTP/fqdn-of-webserver.domain.com at SOME>REALM.COM
-mapuser apache-kerberos-user -crypto rc4-hmac-nt
-ptype KRB5_NT_SRV_HST -pass SECRET_PASSWORD_GOES_HERE
-out c:\apache.keytab
crr
arreyder at apache.org
chris at ia.gov
More information about the Cialug
mailing list