Last updated June 20, 2012 08:05, by lejnar
Feedicon  

Apache module mod_auth_gss

mod_auth_gss is a an authentication module for Apache based on SPNEGO and GSSAPI. It provides Single Sign-On without prompt for username/password. The only security mechanism currently supported is Kerberos. The module depends on features in the Solaris implementation of GSSAPI and will therefore only (currently) compile on Solaris 10 or later. It will not compile on any other Linux/Unix.

The module presented here is the same as in standard Solaris 10 except with some important additions for interoperability with Microsoft's Active Directory. The source code was lifted from the OpenSolaris software repository ( link) in August 2010 and then modified. The original version was done by Sun and the modifications done here are certainly modest.

The features supported above what is shipped in the standard Solaris 10 version are:

  • The domain name can be stripped off from the returned username.
    • If the Kerberos KDC returns 'johndoe@mydomainc.com' then we can strip off '@mydomain.com' so that only 'johndoe' is returned. This is activated via the AuthGSSStripDomainAT directive.
    • If the Kerberos KDC returns 'MYDOMAIN\johndoe' then we can strip off 'MYDOMAIN\' so that only 'johndoe' is returned. This is activated via the AuthGSSStripDomainBS directive.
  • The returned username can be forced to either upper case or lower case. This is activated via the AuthGSSForceCase directive.


These features generally make it a lot easier to use mod_auth_gss with a CMS, Wiki or similar and Active Directory as the authentication server.

The module is for Apache 2.x only.



Building from source code

Module configuration

Download

Changes from the original version

Why not mod_auth_kerb ?

Sun Blog about the original version of mod_auth_gss

Change history

To Do list


License

Released under Apache 2.0 license.

I claim no copyright on my modifications to the original version done by Sun. Indeed I would love to see the modifications put back into standard Solaris. If Oracle chooses to do so I do not want to be mentioned/credited.

  • Mysql
  • Glassfish
  • Jruby
  • Rails
  • Nblogo
Terms of Use; Privacy Policy;
© 2013, Oracle Corporation and/or its affiliates
(revision 20140418.2d69abc)
 
 
Close
loading
Please Confirm
Close