[Freeipa-users] Apache htaccess replacement
Jan Pazdziora
jpazdziora at redhat.com
Thu Jul 9 13:27:28 UTC 2015
On Fri, Jun 26, 2015 at 09:19:51PM -0400, Dmitri Pal wrote:
> On 05/19/2015 05:29 AM, thewebbie wrote:
> >
> >My requirements is to replace dozens of htaccess folders on one server.
> >Each folder requiring a user group. So Host based will not work in this
> >case
>
> Was this resolved in some way?
I don't think it was. I believe the OP is following
http://www.freeipa.org/page/Apache_Group_Based_Authorization
which looks a bit outdated. What we probably should decide is, what
group-based access control do we want to suggest to people who cannot
use HBAC and want to get the groups.
On Mon, May 18, 2015 at 12:38:47PM -0400, thewebbie wrote:
>
> I have been attempting to use my 4.1.4 FreeIPA server to authenticate
> folders on a web server as a replacement for the normal htaccess feature. I
> do require group authentication. I have tried just about online example and
> have only been able to get basic ldap and basic kerbos authentication. How
> do I go about getting group based authentication working.
>
> I have tried to add the following to either example below and no luck. I
> added the httpbind user from an ldif file from examples. I created a user
> group named htaccess and added the users to it.
>
> AuthLDAPBindDN uid=httpbind,cn=sysaccounts,cn=etc,dc=test,dc=com
> AuthLDAPBindPassword XXXXXXXXXX
> AuthLDAPGroupAttributeIsDN off
> AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?uid
[....]
> [Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(739): [client
> xxx.xxx.xxx.xxx] auth_ldap authorise: User DN not found, LDAP:
> ldap_simple_bind_s() failed
Are you able to able to bind with that DN and password using for
example ldapsearch?
> I have this working.
>
> <Location /private>
>
> SSLRequireSSL
> AuthName "LDAP Authentication"
> AuthType Basic
> AuthzLDAPMethod ldap
> AuthzLDAPServer ipa.test.com
> AuthzLDAPUserBase cn=users,cn=compat,dc=test,dc=com
> AuthzLDAPUserKey uid
> AuthzLDAPUserScope base
> require valid-user
> </Location>
>
> And this is working
>
> <Location /private>
>
> SSLRequireSSL
> AuthName "KERBEROS Authentication"
> AuthType Kerberos
> KrbServiceName HTTP
> KrbMethodK5Passwd On
> KrbSaveCredentials On
> KrbMethodNegotiate On
> KrbAuthRealms TEST.COM
> Krb5KeyTab /etc/httpd/conf.d/keytab
>
> AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?krbPrincipalName
> Require valid-user
I wonder -- with SSSD configured on the machine -- doesn't
require group <the-group-name>
actually work?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-users
mailing list