[Freeipa-users] Authenticating Apache through FreeIPA

Martin Kosek mkosek at redhat.com
Tue May 28 07:31:24 UTC 2013 

On 05/28/2013 02:21 AM, William Muriithi wrote:
> Hello,
> 
> This seem well documented, but I can't seem to get it working.  Not sure what I
> am missing..  I will try go over it and hopefully someone may notice why I am
> failing
> 
> I got a system enrolled to IPA and its running
> 
> httpd-2.2.15-28.el6.centos.x86_64
> mod_auth_kerb-5.4-9.el6.x86_64
> mod_authnz_external-3.2.6-1.el6.x86_64
> 
> I initially tried to authenticate against LDAP directly, but it didn't work at
> all.  I believe FreeIPA only use LDAP for authorization and Kerberos for
> authentication..  Is this observation correct?  I mean, can one deal with LDAP
> directly i this setup.

FreeIPA relies on Kerberos for authentication. Speaking of authorization, i.e.
who can do what, we have HBAC enforced by the SSSD. This is however not
available for httpd applications at the moment.

I would recommend using Kerberos authentication (i.e. mod_auth_kerb) instead of
LDAP binds as this will allow you to have Single Sign On (SSO) with your
application.

> 
> For Kerbero, went to the IPA server and generated a key tab

Note that you can get the keytab also directly on the client, ipa-getkeytab is
present in freeipa-client package.

> 
> [root at ipa1-yyz-int wmuriithi]# kinit admin
> Password for admin at EXAMPLE.LOC:
> [root at ipa1-yyz-int wmuriithi]# ipa service-add HTTP/git1.example.com at EXAMPLE.LOC
> ---------------------------------------------------
> Added service "HTTP/git1.example.com at EXAMPLE.LOC"
> ---------------------------------------------------
>   Principal: HTTP/git1.example.com at EXAMPLE.LOC
>   Managed by: git1.example.com <http://git1.example.com>
> [root at ipa1-yyz-int wmuriithi]# ipa-getkeytab -s ipa1-yyz-int.example.loc -p
> HTTP/git1.example.com <http://git1.example.com> -k /tmp/httpd.keytab
> Keytab successfully retrieved and stored in: /tmp/httpd.keytab
> [root at ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab
> root at 10.10.10.50:/etc/httpd/conf/
> The authenticity of host '10.10.10.50 (<no hostip for proxy command>)' can't be
> established.
> RSA key fingerprint is cc:83:9c:95:bf:c6:a0:a4:a0:0a:dd:5a:85:85:bf:1e.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added '10.10.10.50' (RSA) to the list of known hosts.
> root at 10.10.10.50 <mailto:root at 10.10.10.50>'s password:
> [root at ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab
> root at 10.10.10.50:/etc/httpd/conf/
> 
> 
> Then from the IPA client 10.10.10.50, I have this basic change, the bottom part
> is the only pertinent section but posted the whole file in case I have done
> something silly somewhere else. 
> 
> 
> <VirtualHost *:80>
>     ServerName        git1.example.com <http://git1.example.com>
>     ServerAlias       git
>    
> 
>     DocumentRoot /var/www/git
>     <Directory /var/www/git>
>         Options       None
>         AllowOverride none
>         Order         allow,deny
>         Allow         from all
>     </Directory>
> 
>     SuexecUserGroup gitolite3 gitolite3
>     # Set up appropriate GIT environments
>     SetEnv GIT_PROJECT_ROOT /var/lib/gitolite3/repositories
>     SetEnv GIT_HTTP_EXPORT_ALL
>     SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
> 
>     # Set up appropriate gitolite environments
>     SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite3
> 
> 
>     ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/
> <http://gitolite-suexec-wrapper.sh/>
>     ScriptAlias /gitmob/ /var/www/bin/gitolite-suexec-wrapper.sh/
> <http://gitolite-suexec-wrapper.sh/>
> 
> <Location /git>
> #  SSLRequireSSL
>   AuthType Kerberos
>   AuthName "Kerberos Login"
>   KrbMethodNegotiate On
>   KrbMethodK5Passwd Off
>   KrbAuthRealms EXAMPLE.LOC
>   Krb5KeyTab /etc/httpd/conf/httpd.keytab
>   require valid-user
> </Location>
> </VirtualHost>

Looks OK. I have a Kerberos authenticated web app running with very similar
configuration.

> 
> 
> 
>  When I test it with a browser, I get the following error
> 
> [Mon May 27 12:55:18 2013] [notice] Apache/2.2.15 (Unix) DAV/2
> mod_auth_kerb/5.4 configured -- resuming normal operations
> [Mon May 27 12:55:38 2013] [error] [client 10.10.10.231] user william:
> authentication failure for "/git": Password Mismatch
> 
> I can ssh in to the server with the same account password, so log in details
> should be fine.  All I want to achieve is basic authentication, but I seem to
> be missing something,

If you want basic authentication (user+password), you would need to set
KrbMethodK5Passwd to "On".

> 
> Any pointers?

I would also check that KrbAuthRealms contains correct realm. I would also
check that /etc/httpd/conf/httpd.keytab is accessible by "apache" user and has
the right SELinux context (no AVCs in audit.log).

If all this is all right, you can also enable put apache's LogLevel to debug
and watch the errors log for hints.

HTH,
Martin

> 
> Regards,
> 
> William
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list