[Freeipa-users] Apache htaccess replacement

Jan Pazdziora jpazdziora at redhat.com
Thu Jul 9 13:27:28 UTC 2015 

On Fri, Jun 26, 2015 at 09:19:51PM -0400, Dmitri Pal wrote:
> On 05/19/2015 05:29 AM, thewebbie wrote:
> >
> >My requirements is to replace dozens of htaccess folders on one server.
> >Each folder requiring a user group. So Host based will not work in this
> >case
> 
> Was this resolved in some way?

I don't think it was. I believe the OP is following

	http://www.freeipa.org/page/Apache_Group_Based_Authorization

which looks a bit outdated. What we probably should decide is, what
group-based access control do we want to suggest to people who cannot
use HBAC and want to get the groups.

On Mon, May 18, 2015 at 12:38:47PM -0400, thewebbie wrote:
> 
> I have been attempting to use my 4.1.4  FreeIPA server to authenticate
> folders on a web server as a replacement for the normal htaccess feature. I
> do require group authentication. I have tried just about online example and
> have only been able to get basic ldap and basic kerbos authentication.  How
> do I go about getting group based authentication working.
> 
> I have tried to add the following to either example below and no luck. I
> added the httpbind user from an ldif file from examples. I created a user
> group named htaccess and added the users to it.
> 
> AuthLDAPBindDN uid=httpbind,cn=sysaccounts,cn=etc,dc=test,dc=com
> AuthLDAPBindPassword XXXXXXXXXX
> AuthLDAPGroupAttributeIsDN off
> AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?uid

[....]

> [Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(739): [client
> xxx.xxx.xxx.xxx] auth_ldap authorise: User DN not found, LDAP:
> ldap_simple_bind_s() failed

Are you able to able to bind with that DN and password using for
example ldapsearch?

> I have this working.
> 
>  <Location /private>
> 
>     SSLRequireSSL
>     AuthName "LDAP Authentication"
>     AuthType Basic
>     AuthzLDAPMethod ldap
>     AuthzLDAPServer ipa.test.com
>     AuthzLDAPUserBase cn=users,cn=compat,dc=test,dc=com
>     AuthzLDAPUserKey uid
>     AuthzLDAPUserScope base
>     require valid-user
>    </Location>
> 
> And this is working
> 
>  <Location /private>
> 
>     SSLRequireSSL
>     AuthName "KERBEROS Authentication"
>     AuthType Kerberos
>     KrbServiceName HTTP
>     KrbMethodK5Passwd On
>     KrbSaveCredentials On
>     KrbMethodNegotiate On
>     KrbAuthRealms TEST.COM
>     Krb5KeyTab /etc/httpd/conf.d/keytab
> 
>     AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?krbPrincipalName
>     Require valid-user

I wonder -- with SSSD configured on the machine -- doesn't

	require group <the-group-name>

actually work?

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

More information about the Freeipa-users mailing list