X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=INSTALL;h=6322039d8c0d52f5d5a78c737a5854b9b9c9251c;hb=8cd1c3fe01d71282c52e3c2661f14024ddda08ea;hp=3459469efb3e247026a48ed5085a70da6457fc55;hpb=7ca2f662d808b59a2e6f1c2cb5e6de6c50eeef06;p=mod_auth_kerb.cvs%2F.git diff --git a/INSTALL b/INSTALL index 3459469..6322039 100644 --- a/INSTALL +++ b/INSTALL @@ -81,6 +81,12 @@ used for. To create the account you can use standard AD tools. Make sure that the user account has "Password never expires" set and write down the password you set for the account (you will need it later). +When using ticket based authentication (KrbMethodNegotiate) and also wanting +to save the ticket (KrbSaveCredentials), the user account for the Kerberos +principal must have the option "Account is trusted for delegation" set. This +enables to user account to delegate the tickets to the server for further +authentication. + If you want to kerberize additional hosts you need to create one user account per each kerberized host. @@ -169,6 +175,12 @@ First make sure your Mozilla distribution contains the Negotiateauth component included in versions 1.7beta and later on Unix platforms including Mac OSX, maybe 1.8 and later on Windows.) +Next, you have to specify URL's for which it is allowed to use the Negotiate +authentication method. It's done by setting the +network.negotiate-auth.trusted-uris preference. In order to set it, just type +"about:config" in the URL bar and then set the value of +"network.negotiate-auth.trusted-uris" to "https://secured.webserver.name". + If you want to find out what happens in the Negotiateauth component use following environment variables: NSPR_LOG_MODULES=negotiateauth:5 @@ -176,12 +188,16 @@ following environment variables: before starting Mozilla. You will see debugging messages logged in the file specified by NSPR_LOG_FILE (/tmp/negotiateauth.log) +KDE Konqueror +------------- +http://www.grolmsnet.de/kerbtut/konqueror.html + 6. Access control ----------------- If you want only particular users to be able to access the secured area, you can list their principal names in the appropriate Require directive. They must be full Kerberos names, including the REALM part. For example: - Require kouril@REALM.COM kouril REALM.CZ + Require user kouril@REALM.COM The user's name is put by Apache in the REMOTE_USER environment variable so that it could be used by cgi-bin scripts.