[CalendarServer-users] Kerberos Authentication

Cyrus Daboo cdaboo at apple.com
Mon Sep 18 11:30:18 PDT 2006 

Hi Guido,

--On September 18, 2006 8:04:37 PM +0200 Guido Guenther <agx at sigxcpu.org> 
wrote:

> I had little luck setting up kerberos authentication with caldavd. All
> my experiments indicate that the authkerb.py isn't even being looked at.
> Any hints on howto make kerberos available as an authenticator to
> twisted?

1) Make sure you have the latest trunk - there were a bunch of recent 
changes that affect authentication.

2) To enable different types of authentication you need to modify the 
bin/caldavd file. Attached is a patch to do this. Note that there are two 
ways to use Kerberos authentication. One uses HTTP Basic to get a user 
id/pswd and then does Kerberos on there server to verify those (proxy 
authentication). The other uses the HTTP Negotiate authentication mechanism 
to do GSSAPI directly. The patch has both listed, but the negotiate lines 
are commented out. If you want negotiate, comment out the basic lines, and 
uncomment the negotiate ones. You will also have th adjust the realm info 
provided to the factory object.



-- 
Cyrus Daboo
-------------- next part --------------
Index: bin/caldavd 
===================================================================
--- 
bin/caldavd	(revision 119)
+++ bin/caldavd	(working copy)
@@ -359,6 +359,8 
@@
 from twisted.web2.dav             import davxml, auth
 from 
twisted.web2.server          import Site
 from twisted.web2.channel.http 
import HTTPFactory
+from twistedcaldav.authkerb       import 
BasicKerberosCredentialFactory, BasicKerberosCredentialsChecker
+from 
twistedcaldav.authkerb       import NegotiateCredentialFactory, 
NegotiateCredentialsChecker
 
 if dossl:
     from 
twisted.application.internet import SSLServer
@@ -374,9 +376,11 @@
 parent 
= IServiceCollection(application)
 
 portal = Portal(auth.DavRealm()) 
-portal.registerChecker(auth.TwistedPropertyChecker()) 
+portal.registerChecker(BasicKerberosCredentialsChecker()) 
+#portal.registerChecker(NegotiateCredentialsChecker())
 
-credentialFactories = (basic.BasicCredentialFactory(""),) 
+credentialFactories = 
(BasicKerberosCredentialFactory("krbtgt/EXAMPLE.COM at EXAMPLE.COM", 
"EXAMPLE.COM"),)
+#credentialFactories = 
(NegotiateCredentialFactory("http at examaple.com"),)
 
 loginInterfaces = 
(auth.IPrincipal,)

More information about the calendarserver-users mailing list