[CentOS] Apache/Active Directory authentication

Thu Mar 24 20:51:44 UTC 2011
Michael B Allen <ioplex at gmail.com>

On Wed, Mar 23, 2011 at 2:35 PM, John Hodrien <J.H.Hodrien at leeds.ac.uk> wrote:
> On Wed, 23 Mar 2011, Michael B Allen wrote:
>
>>> Yes, but using the machine principal you're able to request any number of
>>> service principals that are SERVICENAME/<machinename>.  For this to work
>>> in a
>>> virtual hosting environment, you need multiple machine names (since we're
>>> talking about making a number of HTTP/<blah> principals).  Whilst I
>>> accept
>>
>> The "<machinename>" of the principal does NOT have to match the actual
>> machine name. You could create a User object called "alice" with
>> servicePrincipalName values of HTTP/as1.busicorp.local,
>> HTTP/mycomputer.net and HTTP/test1 and requesting tickets for any of
>> those names will work just fine. AD just searches for an account with
>> a servicePrincipalName value that matches the principal requested for
>> the service ticket.
>>
>> Pedantic note: If you have the same servicePrincipalName value on more
>> than one account, AD will actually choke and not return a ticket at
>> all (because the request is ambiguous), there is no constraint in AD
>> to stop people from accidentally adding the same SPN to multiple
>> accounts and AD will not return any kind of meaningful error about it.
>
> Sure, but if you're not a domain admin, you've only got a machine principal,
> and your own principal (which I can use to join machines to the domain).
> Given those, and *not* a domain admin credential, how do you create those
> principals?

You do kinit -k with the keytab for the machine account and then an
ldap_modify to add servicePrincipalName values for the desired
principals. The machine account has permission sufficient to modify
itself.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/