[Freeipa-users] Kerberos authentication + LDAP authorization with apache
Rob Crittenden
rcritten at redhat.com
Wed Jul 29 17:51:03 UTC 2009
Rob Visser wrote:
> Hello,
>
> I would like achieve authorization on a kerberised web-page.
> My idea is to use an LDAP query for group membership, i.e. the uid
> should be a member of a certain group in order to serve out pages.
>
> Authentication with Kerberos gssapi works well.
> I do not know how to achieve the authorization.
>
> This is what I tried:
>
> <Directory "/usr/share/ipa/ipatest">
> AuthType Kerberos
> AuthName "Kerberos Login"
> KrbMethodNegotiate on
> KrbMethodK5Passwd off
> KrbServiceName HTTP
> KrbAuthRealms USN.TIC
> Krb5KeyTab /etc/httpd/conf/ipa.keytab
> KrbSaveCredentials on
> AuthzLDAPAuthoritative on
> AuthLDAPUrl ldap://localhost/cn=users,cn=accounts,dc=usn,dc=tic?uid
> Require ldap-group cn=ipausers,cn=groups,cn=accounts,dc=usn,dc=tic
> Require valid-user
> Satisfy all
>
> </Directory>
>
> Any help is appreciated.
>
You almost have it. With kerberos, REMOTE_USER is going to be set to the
principal name (admin at EXAMPLE.COM). You need to tweak your AuthLDAPUrl
to use krbprincipalname instead of uid and it should work.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090729/8932eaff/attachment.bin>
More information about the Freeipa-users
mailing list