[Freeipa-users] Apache htaccess replacement

thewebbie thewebbie at gmail.com
Mon May 18 16:38:47 UTC 2015 

Hello

I have been attempting to use my 4.1.4  FreeIPA server to authenticate
folders on a web server as a replacement for the normal htaccess feature. I
do require group authentication. I have tried just about online example and
have only been able to get basic ldap and basic kerbos authentication.  How
do I go about getting group based authentication working.

I have tried to add the following to either example below and no luck. I
added the httpbind user from an ldif file from examples. I created a user
group named htaccess and added the users to it.

AuthLDAPBindDN uid=httpbind,cn=sysaccounts,cn=etc,dc=test,dc=com
AuthLDAPBindPassword XXXXXXXXXX
AuthLDAPGroupAttributeIsDN off
AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?uid
Require ldap-group cn=htaccess,cn=groups,cn=compat,dc=test,dc=com

My error logs look like

[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1944): [client
xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos

[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1032): [client
xxx.xxx.xxx.xxx] Using HTTP/server1.test.com at test.COM as server principal
for password verification

[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(736): [client
xxx.xxx.xxx.xxx] Trying to get TGT for user jsnow at test.COM

[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(646): [client
xxx.xxx.xxx.xxx] Trying to verify authenticity of KDC using principal
HTTP/server1.test.com at test.COM

[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1111): [client
xxx.xxx.xxx.xxx] kerb_authenticate_user_krb5pwd ret=0 user=jsnow at test.COM
authtype=Basic

[Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(727): [client
xxx.xxx.xxx.xxx] ldap authorize: Creating LDAP req structure

[Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(739): [client
xxx.xxx.xxx.xxx] auth_ldap authorise: User DN not found, LDAP:
ldap_simple_bind_s() failed

I have this working.

 <Location /private>

    SSLRequireSSL
    AuthName "LDAP Authentication"
    AuthType Basic
    AuthzLDAPMethod ldap
    AuthzLDAPServer ipa.test.com
    AuthzLDAPUserBase cn=users,cn=compat,dc=test,dc=com
    AuthzLDAPUserKey uid
    AuthzLDAPUserScope base
    require valid-user

   </Location>

And this is working

 <Location /private>

    SSLRequireSSL
    AuthName "KERBEROS Authentication"
    AuthType Kerberos
    KrbServiceName HTTP
    KrbMethodK5Passwd On
    KrbSaveCredentials On
    KrbMethodNegotiate On
    KrbAuthRealms TEST.COM
    Krb5KeyTab /etc/httpd/conf.d/keytab

    AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?krbPrincipalName
    Require valid-user

   </Location>
-- 

=================
Matthew Feinberg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150518/332dfea3/attachment.htm>

More information about the Freeipa-users mailing list