[389-users] GUI console and Kerberos

Paul Robert Marino prmarino1 at gmail.com
Wed Mar 11 19:06:18 UTC 2015 

correction it looks like I will need  to enable either PAM passthrough
or I once i actually configure the real kerberos auth via  the module
an not my quick test hack
I think it may allow forwarding the key via SASL GSSAPI
but either way this is good I think im well on my way to figuring it out.





On Wed, Mar 11, 2015 at 2:51 PM, Paul Robert Marino <prmarino1 at gmail.com> wrote:
> Ok so here is some progress
> i manually added my user name and password in
> /etc/dirsrv/admin-serv/admpw using the htpassword command
> if i put cn=<username> I get ldap error 32: No such object in the
> admin server error log
> but if i just put my username in it finds the entry and i get a
> different error ldap error 48: Inappropriate authentication
> this is making me wonder if saslauthd may help
>
> On Wed, Mar 11, 2015 at 2:34 PM, Paul Robert Marino <prmarino1 at gmail.com> wrote:
>> I know it will probably be a little more complex than that but I think
>> it logically should be one of the steps.
>> although it doesn't explain how "cn=Directory Manager" works
>> but it makes a lot of sense when you see the 401 error from the login
>> attempt it comes from the directory specified by
>> "
>> <Location /admin-serv/authenticate>
>>     SetHandler user-auth
>>     AuthUserFile /etc/dirsrv/admin-serv/admpw
>>     AuthType basic
>>     AuthName "Admin Server"
>>     Require valid-user
>>     Order allow,deny
>>     Allow from all
>> </Location>
>> "
>> in /etc/dirsrv/admin-serv/admserv.conf
>>
>>
>>
>>
>> On Wed, Mar 11, 2015 at 2:13 PM, Rich Megginson <rmeggins at redhat.com> wrote:
>>> On 03/11/2015 11:54 AM, Paul Robert Marino wrote:
>>>>
>>>> Hey every one
>>>> I have a question I know at least once in the past i setup the admin
>>>> console so it could utilize Kerberos passwords based on a howto I
>>>> found once which after I changed jobs I could never find again.
>>>>
>>>> today I was looking for something else and I saw a mention on the site
>>>> about httpd needing to be compiled with http auth support.
>>>> well I did a little digging and I found this file
>>>> /etc/dirsrv/admin-serv/admserv.conf
>>>>
>>>> in that file I found a lot of entries that look like this
>>>> "
>>>> <LocationMatch /*/[tT]asks/[Cc]onfiguration/*>
>>>>    AuthUserFile /etc/dirsrv/admin-serv/admpw
>>>>    AuthType basic
>>>>    AuthName "Admin Server"
>>>>    Require valid-user
>>>>    AdminSDK on
>>>>    ADMCgiBinDir /usr/lib64/dirsrv/cgi-bin
>>>>    NESCompatEnv on
>>>>    Options +ExecCGI
>>>>    Order allow,deny
>>>>    Allow from all
>>>> </LocationMatch>
>>>>
>>>> "
>>>> when I checked /etc/dirsrv/admin-serv/admpw sure enough I found the
>>>> Password hash for the admin user.
>>>>
>>>> So my question is before I wast time experimenting could it possibly
>>>> be as simple as changing the auth type to kerberos
>>>> http://modauthkerb.sourceforge.net/configure.html
>>>
>>>
>>> I don't know.  I don't think anyone has ever tried it.
>>>
>>>> keep in mind my Kerberos Servers do not use LDAP as the backend.
>>>> --
>>>> 389 users mailing list
>>>> 389-users at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users

More information about the 389-users mailing list