[Freeipa-users] Authenticating Apache through FreeIPA

William Muriithi william.muriithi at gmail.com
Tue May 28 00:21:12 UTC 2013 

Hello,

This seem well documented, but I can't seem to get it working.  Not sure
what I am missing..  I will try go over it and hopefully someone may notice
why I am failing

I got a system enrolled to IPA and its running

httpd-2.2.15-28.el6.centos.x86_64
mod_auth_kerb-5.4-9.el6.x86_64
mod_authnz_external-3.2.6-1.el6.x86_64

I initially tried to authenticate against LDAP directly, but it didn't work
at all.  I believe FreeIPA only use LDAP for authorization and Kerberos for
authentication..  Is this observation correct?  I mean, can one deal with
LDAP directly i this setup.

For Kerbero, went to the IPA server and generated a key tab

[root at ipa1-yyz-int wmuriithi]# kinit admin
Password for admin at EXAMPLE.LOC:
[root at ipa1-yyz-int wmuriithi]# ipa service-add
HTTP/git1.example.com at EXAMPLE.LOC
---------------------------------------------------
Added service "HTTP/git1.example.com at EXAMPLE.LOC"
---------------------------------------------------
  Principal: HTTP/git1.example.com at EXAMPLE.LOC
  Managed by: git1.example.com
[root at ipa1-yyz-int wmuriithi]# ipa-getkeytab -s ipa1-yyz-int.example.loc -p
HTTP/git1.example.com -k /tmp/httpd.keytab
Keytab successfully retrieved and stored in: /tmp/httpd.keytab
[root at ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab root at 10.10.10.50:
/etc/httpd/conf/
The authenticity of host '10.10.10.50 (<no hostip for proxy command>)'
can't be established.
RSA key fingerprint is cc:83:9c:95:bf:c6:a0:a4:a0:0a:dd:5a:85:85:bf:1e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.50' (RSA) to the list of known hosts.
root at 10.10.10.50's password:
[root at ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab root at 10.10.10.50:
/etc/httpd/conf/


Then from the IPA client 10.10.10.50, I have this basic change, the bottom
part is the only pertinent section but posted the whole file in case I have
done something silly somewhere else.


<VirtualHost *:80>
    ServerName        git1.example.com
    ServerAlias       git


    DocumentRoot /var/www/git
    <Directory /var/www/git>
        Options       None
        AllowOverride none
        Order         allow,deny
        Allow         from all
    </Directory>

    SuexecUserGroup gitolite3 gitolite3
    # Set up appropriate GIT environments
    SetEnv GIT_PROJECT_ROOT /var/lib/gitolite3/repositories
    SetEnv GIT_HTTP_EXPORT_ALL
    SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER

    # Set up appropriate gitolite environments
    SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite3


    ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/
    ScriptAlias /gitmob/ /var/www/bin/gitolite-suexec-wrapper.sh/

<Location /git>
#  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbAuthRealms EXAMPLE.LOC
  Krb5KeyTab /etc/httpd/conf/httpd.keytab
  require valid-user
</Location>
</VirtualHost>



 When I test it with a browser, I get the following error

[Mon May 27 12:55:18 2013] [notice] Apache/2.2.15 (Unix) DAV/2
mod_auth_kerb/5.4 configured -- resuming normal operations
[Mon May 27 12:55:38 2013] [error] [client 10.10.10.231] user william:
authentication failure for "/git": Password Mismatch

I can ssh in to the server with the same account password, so log in
details should be fine.  All I want to achieve is basic authentication, but
I seem to be missing something,

Any pointers?

Regards,

William
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130527/6c484894/attachment.htm>

More information about the Freeipa-users mailing list