Kerberos authentication module for nginx

Michael Shadle mike503 at gmail.com
Fri May 1 00:08:46 MSD 2009


Yes, I believe it has to be on the domain currently.

However, I would -love- for it to not have that requirement.

I will send the code to you separately and you can give it a go. It
sounds like you have better understanding of how this stuff works.

Of course, I don't know if your company's implementation differs from
mine (it's a Windows 2003 [I believe] Active Directory based off LDAP
and supports Kerberos and NTLM) but the idea of this module was for it
to be released to the community for everyone's benefits. Having no
domain requirement would be an added bonus - perhaps you can examine
it on your boxes. Stay tuned I will be sending a followup email.


On Thu, Apr 30, 2009 at 12:06 PM, Matteo Redaelli <lists at ruby-forum.com> wrote:
> I have used modauthkerb for three years without any problem for
> authenticating users (ca 25000 daily) in my company.
>
> I'll be happy to test your code when available.
>
> But please what do you mean with "I can't figure out how to get my
> Ubuntu machine on our domain at work, and that is required for this to
> work".
>
> Must the web server be joined to the Windows Domain in order to be able
> to use mod kerb?
>
> with mod_auth_kerb it is not required. you need only to generate a
> KEYTAB with the KTPASS comand (see
> http://www.redaelli.org/matteo/binaries/downloads/documents/apache_kerberos_w2003_spnego.pdf
> - sorry for the italian)
>
> Regards
> m a t t e o . r e d a e l l i  AT gmail.com
>
> Michael Shadle wrote:
>> On Wed, Apr 29, 2009 at 2:09 AM, Matteo Redaelli <lists at ruby-forum.com>
>> wrote:
>>> Ciao
>>>
>>> It would be very useful for intranet web applications to have a Kerberos
>>> Authentication module like the one for apache httpd
>>> (http://modauthkerb.sourceforge.net/) and the lighttpd one
>>> (http://redmine.lighttpd.net/issues/1899).
>>>
>>> Has enyone already implemented it? is it in the roadmap?
>>
>> I have a developer working on it right now, actually.
>>
>> Once his code is in a functional state I'll want as many people out
>> there to review and try it.
>>
>> It's basically a port of mod_auth_gssapi from Apache, which seemed to
>> have the strongest SPNEGO support.
>>
>> I hired the developer through RentACoder; if anyone feels inclined to
>> pitch in funds to help cover the cost I'd be more than happy to
>> supplement him/cover some of my out of pocket expense (my company did
>> not cover it, I paid for it personally to help nginx advance and my
>> company can benefit from it)
>>
>> Essentially it will do all the Kerberos work and supply REMOTE_USER
>> via the environment to PHP, etc.
>>
>> If you have a good understanding of how it works I'd like your input
>> on it to make sure the developer is creating it in a useful fashion
>> (and/or you can help test) - right now I am stuck as I can't figure
>> out how to get my Ubuntu machine on our domain at work, and that is
>> required for this to work. (It would be great if it didn't have to be
>> on the domain though ... )
>
> --
> Posted via http://www.ruby-forum.com/.
>
>





More information about the nginx mailing list