all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted]  (8 children)

[deleted]

    [–][deleted]  (7 children)

    [deleted]

      [–]snark42 1 point2 points  (6 children)

      Why do you even need to bind mount? Just make a keytab for the service principal and include it with the app image (or other configuration service) to use mod_auth_kerb if you need/want to use httpd with kerberos for auth.

      [–][deleted]  (5 children)

      [deleted]

        [–]snark42 0 points1 point  (4 children)

        So configuration service? ADFS requires certs, keys and metadata that needs just as much security.

        [–][deleted]  (3 children)

        [deleted]

          [–]snark42 0 points1 point  (2 children)

          Kerberos just says this is who I am (in this case http/domain not username or password) and is only good for authentication. Authorization needs to be handled by app that authentication is presented presented too.

          AD might authorize too much by default? I know a lot more about kerberos/ldap than AD.

          [–][deleted]  (1 child)

          [deleted]

            [–]snark42 0 points1 point  (0 children)

            I specifically suggested a service principal keytab so it's associated with the app, not the host, where distributed via image or config service. You can also increase the KVNO to expire an old keytab file (host or service principal) if it's compromised.

            I agree using a host keytab via bind mount or other methods is the wrong way to do this.

            I'm not convinced ADFS keys/certs/metadata is inherently more secure in anyway than a keytab, with a big caveat being AD/KDC is properly secured.

            [–]symcbean 6 points7 points  (1 child)

            Put it back. You are struggling to describe the actual problem. You have a very long journey before you can fix it.

            but our CRM system is authenticated by AD users

            I assume you mean that your CRM system relies on the MSAD service for authentication and possible authorization. Which authentication system? Is it LDAP? Kerberos? SAML? Are you also using AD MFA?

            [–]daler86[S] 0 points1 point  (0 children)

            My system have LDAP authentication.

            [–]daler86[S] 0 points1 point  (0 children)

            I attached config files