<div dir="ltr"><div><div><div><div>Hello,<br><br></div>This seem well documented, but I can't seem to get it working. Not sure what I am missing.. I will try go over it and hopefully someone may notice why I am failing<br>
<br></div>I got a system enrolled to IPA and its running <br><br>httpd-2.2.15-28.el6.centos.x86_64<br>mod_auth_kerb-5.4-9.el6.x86_64<br>mod_authnz_external-3.2.6-1.el6.x86_64<br><br></div>I initially tried to authenticate against LDAP directly, but it didn't work at all. I believe FreeIPA only use LDAP for authorization and Kerberos for authentication.. Is this observation correct? I mean, can one deal with LDAP directly i this setup.<br>
<br></div><div>For Kerbero, went to the IPA server and generated a key tab<br><br>[root@ipa1-yyz-int wmuriithi]# kinit admin<br>Password for admin@EXAMPLE.LOC:<br>[root@ipa1-yyz-int wmuriithi]# ipa service-add HTTP/git1.example.com@EXAMPLE.LOC<br>
---------------------------------------------------<br>Added service "HTTP/git1.example.com@EXAMPLE.LOC"<br>---------------------------------------------------<br> Principal: HTTP/git1.example.com@EXAMPLE.LOC<br>
Managed by: <a href="http://git1.example.com">git1.example.com</a><br>[root@ipa1-yyz-int wmuriithi]# ipa-getkeytab -s ipa1-yyz-int.example.loc -p HTTP/<a href="http://git1.example.com">git1.example.com</a> -k /tmp/httpd.keytab<br>
Keytab successfully retrieved and stored in: /tmp/httpd.keytab<br>[root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab root@10.10.10.50:/etc/httpd/conf/<br>The authenticity of host '10.10.10.50 (<no hostip for proxy command>)' can't be established.<br>
RSA key fingerprint is cc:83:9c:95:bf:c6:a0:a4:a0:0a:dd:5a:85:85:bf:1e.<br>Are you sure you want to continue connecting (yes/no)? yes<br>Warning: Permanently added '10.10.10.50' (RSA) to the list of known hosts.<br>
<a href="mailto:root@10.10.10.50">root@10.10.10.50</a>'s password:<br></div><div>[root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab root@10.10.10.50:/etc/httpd/conf/<br><br><br></div><div>Then from the IPA client 10.10.10.50, I have this basic change, the bottom part is the only pertinent section but posted the whole file in case I have done something silly somewhere else. <br>
<br><br><VirtualHost *:80><br> ServerName <a href="http://git1.example.com">git1.example.com</a><br> ServerAlias git<br> <br><br> DocumentRoot /var/www/git<br> <Directory /var/www/git><br>
Options None<br> AllowOverride none<br> Order allow,deny<br> Allow from all<br> </Directory><br><br> SuexecUserGroup gitolite3 gitolite3<br> # Set up appropriate GIT environments<br>
SetEnv GIT_PROJECT_ROOT /var/lib/gitolite3/repositories<br> SetEnv GIT_HTTP_EXPORT_ALL<br> SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER<br><br> # Set up appropriate gitolite environments<br> SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite3<br>
<br><br> ScriptAlias /git/ /var/www/bin/<a href="http://gitolite-suexec-wrapper.sh/">gitolite-suexec-wrapper.sh/</a><br> ScriptAlias /gitmob/ /var/www/bin/<a href="http://gitolite-suexec-wrapper.sh/">gitolite-suexec-wrapper.sh/</a><br>
<br><Location /git><br># SSLRequireSSL<br> AuthType Kerberos<br> AuthName "Kerberos Login"<br> KrbMethodNegotiate On<br> KrbMethodK5Passwd Off<br> KrbAuthRealms EXAMPLE.LOC<br> Krb5KeyTab /etc/httpd/conf/httpd.keytab<br>
require valid-user<br></Location><br></VirtualHost><br><br></div><div><br></div><div><br> </div><div><div> When I test it with a browser, I get the following error<br><br></div><div>[Mon May 27 12:55:18 2013] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 configured -- resuming normal operations<br>
[Mon May 27 12:55:38 2013] [error] [client 10.10.10.231] user william: authentication failure for "/git": Password Mismatch<br><br></div><div>I can ssh in to the server with the same account password, so log in details should be fine. All I want to achieve is basic authentication, but I seem to be missing something, <br>
<br></div><div>Any pointers?<br><br></div><div>Regards,<br><br></div><div>William <br></div></div></div>