[Freeipa-users] Apache htaccess replacement
thewebbie
thewebbie at gmail.com
Mon May 18 16:38:47 UTC 2015
Hello
I have been attempting to use my 4.1.4 FreeIPA server to authenticate
folders on a web server as a replacement for the normal htaccess feature. I
do require group authentication. I have tried just about online example and
have only been able to get basic ldap and basic kerbos authentication. How
do I go about getting group based authentication working.
I have tried to add the following to either example below and no luck. I
added the httpbind user from an ldif file from examples. I created a user
group named htaccess and added the users to it.
AuthLDAPBindDN uid=httpbind,cn=sysaccounts,cn=etc,dc=test,dc=com
AuthLDAPBindPassword XXXXXXXXXX
AuthLDAPGroupAttributeIsDN off
AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?uid
Require ldap-group cn=htaccess,cn=groups,cn=compat,dc=test,dc=com
My error logs look like
[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1944): [client
xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1032): [client
xxx.xxx.xxx.xxx] Using HTTP/server1.test.com at test.COM as server principal
for password verification
[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(736): [client
xxx.xxx.xxx.xxx] Trying to get TGT for user jsnow at test.COM
[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(646): [client
xxx.xxx.xxx.xxx] Trying to verify authenticity of KDC using principal
HTTP/server1.test.com at test.COM
[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1111): [client
xxx.xxx.xxx.xxx] kerb_authenticate_user_krb5pwd ret=0 user=jsnow at test.COM
authtype=Basic
[Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(727): [client
xxx.xxx.xxx.xxx] ldap authorize: Creating LDAP req structure
[Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(739): [client
xxx.xxx.xxx.xxx] auth_ldap authorise: User DN not found, LDAP:
ldap_simple_bind_s() failed
I have this working.
<Location /private>
SSLRequireSSL
AuthName "LDAP Authentication"
AuthType Basic
AuthzLDAPMethod ldap
AuthzLDAPServer ipa.test.com
AuthzLDAPUserBase cn=users,cn=compat,dc=test,dc=com
AuthzLDAPUserKey uid
AuthzLDAPUserScope base
require valid-user
</Location>
And this is working
<Location /private>
SSLRequireSSL
AuthName "KERBEROS Authentication"
AuthType Kerberos
KrbServiceName HTTP
KrbMethodK5Passwd On
KrbSaveCredentials On
KrbMethodNegotiate On
KrbAuthRealms TEST.COM
Krb5KeyTab /etc/httpd/conf.d/keytab
AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?krbPrincipalName
Require valid-user
</Location>
--
=================
Matthew Feinberg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150518/332dfea3/attachment.htm>
More information about the Freeipa-users
mailing list