Comments on: phpLDAPadmin and Kerberos http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/ A sourceful of secrets Tue, 06 Jan 2009 01:23:34 +0000 http://wordpress.org/?v=2.7 hourly 1 By: mazsi http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/comment-page-1/#comment-1234 mazsi Sat, 05 Jan 2008 08:55:51 +0000 http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/#comment-1234 as of phpldapadmin v1.1.0.3: if you set login_dn or login_pass to empty string, and anything other than anonymous bind is being used (as it is in our case) LDAPserver::connect() will refuse to login (it will always return false). so instead of $ldapservers->SetValue($i,'login','dn',''); $ldapservers->SetValue($i,'login','pass',''); use for example this: $ldapservers->SetValue($i,'login','dn','cn=noone'); $ldapservers->SetValue($i,'login','pass','passwd'); (you can set any value here, since you are using GSSAPI they will not be used.) as of phpldapadmin v1.1.0.3: if you set login_dn or login_pass to empty string, and anything other than anonymous bind is being used (as it is in our case) LDAPserver::connect() will refuse to login (it will always return false).

so instead of

$ldapservers->SetValue($i,'login','dn','');
$ldapservers->SetValue($i,'login','pass','');

use for example this:

$ldapservers->SetValue($i,'login','dn','cn=noone');
$ldapservers->SetValue($i,'login','pass','passwd');

(you can set any value here, since you are using GSSAPI they will not be used.)

]]> By: aeb http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/comment-page-1/#comment-1126 aeb Mon, 01 Oct 2007 13:44:23 +0000 http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/#comment-1126 Hi Ezra, No this will not allow you to create/change Kerberos passwords. This setup just uses Kerberos to authenticate users accessing phpladpadmin. Hope this helps. Hi Ezra, No this will not allow you to create/change Kerberos passwords. This setup just uses Kerberos to authenticate users accessing phpladpadmin. Hope this helps.

]]> By: Ezra Taylor http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/comment-page-1/#comment-1124 Ezra Taylor Sat, 29 Sep 2007 20:39:32 +0000 http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/#comment-1124 Hello: Will this feature allow me to create/change users Kerberos passwords in phpldapadmin? Hello:
Will this feature allow me to create/change users Kerberos passwords in phpldapadmin?

]]> By: jag http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/comment-page-1/#comment-828 jag Wed, 08 Aug 2007 11:21:15 +0000 http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/#comment-828 It almost works, except for the last change. Putting the "putenv(KRB5..." line at the top, or anywhere else, in the common.php file did not work, in the phpldapadmin log I could see that GSSAPI still assumed to find the ticket in "/tmp/krb5cc_80" and not in /tmp/krb5cc_apache_XXXXXX where mod_auth_kerb saved it. What does work for me is a changed mod_auth_kerb.c source where you can replace the line: ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir); with: ccname = apr_psprintf(r->pool, "FILE:/tmp/krb5cc_80") ; mod_auth_kerb should offer this as a configurable option I think. It almost works, except for the last change. Putting the "putenv(KRB5..." line at the top, or anywhere else, in the common.php file did not work, in the phpldapadmin log I could see that GSSAPI still assumed to find the ticket in "/tmp/krb5cc_80" and not in /tmp/krb5cc_apache_XXXXXX where mod_auth_kerb saved it.
What does work for me is a changed mod_auth_kerb.c source where you can replace the line:

ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);

with:

ccname = apr_psprintf(r->pool, "FILE:/tmp/krb5cc_80") ;

mod_auth_kerb should offer this as a configurable option I think.

]]>