[Freeipa-users] Authenticating Apache through FreeIPA
William Muriithi
william.muriithi at gmail.com
Tue May 28 00:21:12 UTC 2013
Hello,
This seem well documented, but I can't seem to get it working. Not sure
what I am missing.. I will try go over it and hopefully someone may notice
why I am failing
I got a system enrolled to IPA and its running
httpd-2.2.15-28.el6.centos.x86_64
mod_auth_kerb-5.4-9.el6.x86_64
mod_authnz_external-3.2.6-1.el6.x86_64
I initially tried to authenticate against LDAP directly, but it didn't work
at all. I believe FreeIPA only use LDAP for authorization and Kerberos for
authentication.. Is this observation correct? I mean, can one deal with
LDAP directly i this setup.
For Kerbero, went to the IPA server and generated a key tab
[root at ipa1-yyz-int wmuriithi]# kinit admin
Password for admin at EXAMPLE.LOC:
[root at ipa1-yyz-int wmuriithi]# ipa service-add
HTTP/git1.example.com at EXAMPLE.LOC
---------------------------------------------------
Added service "HTTP/git1.example.com at EXAMPLE.LOC"
---------------------------------------------------
Principal: HTTP/git1.example.com at EXAMPLE.LOC
Managed by: git1.example.com
[root at ipa1-yyz-int wmuriithi]# ipa-getkeytab -s ipa1-yyz-int.example.loc -p
HTTP/git1.example.com -k /tmp/httpd.keytab
Keytab successfully retrieved and stored in: /tmp/httpd.keytab
[root at ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab root at 10.10.10.50:
/etc/httpd/conf/
The authenticity of host '10.10.10.50 (<no hostip for proxy command>)'
can't be established.
RSA key fingerprint is cc:83:9c:95:bf:c6:a0:a4:a0:0a:dd:5a:85:85:bf:1e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.50' (RSA) to the list of known hosts.
root at 10.10.10.50's password:
[root at ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab root at 10.10.10.50:
/etc/httpd/conf/
Then from the IPA client 10.10.10.50, I have this basic change, the bottom
part is the only pertinent section but posted the whole file in case I have
done something silly somewhere else.
<VirtualHost *:80>
ServerName git1.example.com
ServerAlias git
DocumentRoot /var/www/git
<Directory /var/www/git>
Options None
AllowOverride none
Order allow,deny
Allow from all
</Directory>
SuexecUserGroup gitolite3 gitolite3
# Set up appropriate GIT environments
SetEnv GIT_PROJECT_ROOT /var/lib/gitolite3/repositories
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
# Set up appropriate gitolite environments
SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite3
ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/
ScriptAlias /gitmob/ /var/www/bin/gitolite-suexec-wrapper.sh/
<Location /git>
# SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms EXAMPLE.LOC
Krb5KeyTab /etc/httpd/conf/httpd.keytab
require valid-user
</Location>
</VirtualHost>
When I test it with a browser, I get the following error
[Mon May 27 12:55:18 2013] [notice] Apache/2.2.15 (Unix) DAV/2
mod_auth_kerb/5.4 configured -- resuming normal operations
[Mon May 27 12:55:38 2013] [error] [client 10.10.10.231] user william:
authentication failure for "/git": Password Mismatch
I can ssh in to the server with the same account password, so log in
details should be fine. All I want to achieve is basic authentication, but
I seem to be missing something,
Any pointers?
Regards,
William
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130527/6c484894/attachment.htm>
More information about the Freeipa-users
mailing list