-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
jmarquart@planalytics.com
You might consider Kerberos - SASL - on the openldap authentication.
Kerberos is certainly an appropriate solution, but I don't think it works
too well for this through SASL. As has already been pointed out on this
thread, there are two separate layers of authentication involved - first,
the browser to the web server, and second, the web server to the
application, on behalf of the browser.
To do this with Kerberos requires the use of forwardable tickets, and I
don't believe SASL/GSSAPI provides any way to request forwardable tickets.
No matter what approach you use, the web server must maintain a cache of
users' credentials to be handed off to each of the target applications.
This is a pain to implement with typical Apache servers since Apache uses
a separate process for every HTTP request. You can't just create some
state info in one process and re-use it automatically, because your next
request will most likely be handled by a different process. If you're
using perl, there are some nice Session management modules that use
shared memory to overcome this problem. With EmbPerl this detail is
handled transparently.
The problem being discussed here is one of web server design, and has
little to do with OpenLDAP. Further discussion belongs in some other
forum, one dedicated to web application design issues.
I'll give you one hint for free - this is easier to do with cookies than
with any other approach.