Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Apache Realms to OD/Kerb


On Aug 12, 2005, at 9:37 AM, Ed Pastore wrote:

On Aug 11, 2005, at 6:15 PM, Joel Rennich wrote:


If you create a site at primary host name of the server with a Kerberos realm do things work?


Yes, that did work. I made a web host with the same machine name as is used for the OD master (main) and l added a realm to which only I had access. When I hit that realm, I got in, and I saw an http ticket added in my Kerberos tickets. This is consistent with what I would expect, since there is an http record for that host in klist results.

The host for which I am (unsuccessfully) trying to create a realm is on the same machine. In DNS (also local), I have it's host name (calendar) as an alias of the primary one (main). The host also has its own, self-signed certificate (intentionally different, because I'd like to buy a signed cert if I get this working).

I've been pouring over the OD manual, because I'd like to think I could figure this out myself. But the only references to Apache say that it is a zero-configuration kerberized service. I see nothing about getting additional local hosts into the keytab.

I suppose I could just use a sub-directory of the main host, but I'd really prefer this host to be separate and uniquely named. Still not sure what I'm missing...


1. Put the calendar www share on an IP that reverses to the DNS name that you want to use. This is imperative to get this to work. So create an alias if you want, but get an IP that's going to reverse and bind the site to that IP. The apache module determines what kerberos principle to respond to by reversing the IP.

2. Now you need to generate a new Kerberos principle for the site.

as root "kadmin.local"

this will get you the kadmin interface, you can create a new principle here.

addprinc -randkey http/calendar.example.com

and save that principle to your local keytab. This is a touch tougher if you are putting this on a remote machine, this example is if you are local.

ktadd -k /etc/krb5.keytab http/calendar.example.com

3. Now go to Server Admin and enable ssl for the site, which is required for the krb auth, then set up a realm using kerb auth.

4. log in to the realm, look at your clients ticket cache and you should see a ticket specific to the new http principle.

Joel

www.afp548.com
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >Apache Realms to OD/Kerb (From: Ed Pastore <email@hidden>)
 >Re: Apache Realms to OD/Kerb (From: Ed Pastore <email@hidden>)
 >Re: Apache Realms to OD/Kerb (From: Joel Rennich <email@hidden>)
 >Re: Apache Realms to OD/Kerb (From: Ed Pastore <email@hidden>)
 >Re: Apache Realms to OD/Kerb (From: Michael Bartosh <email@hidden>)
 >Re: Apache Realms to OD/Kerb (From: Ed Pastore <email@hidden>)
 >Re: Apache Realms to OD/Kerb (From: Joel Rennich <email@hidden>)
 >Re: Apache Realms to OD/Kerb (From: Ed Pastore <email@hidden>)
 >Re: Apache Realms to OD/Kerb (From: Joel Rennich <email@hidden>)
 >Re: Apache Realms to OD/Kerb (From: Ed Pastore <email@hidden>)
 >Re: Apache Realms to OD/Kerb (From: Joel Rennich <email@hidden>)
 >Re: Apache Realms to OD/Kerb (From: Ed Pastore <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.