<div dir="ltr">Hello<div><br></div><div>I have been attempting to use my 4.1.4 FreeIPA server to authenticate folders on a web server as a replacement for the normal htaccess feature. I do require group authentication. I have tried just about online example and have only been able to get basic ldap and basic kerbos authentication. How do I go about getting group based authentication working. </div><div><br></div><div>I have tried to add the following to either example below and no luck. I added the httpbind user from an ldif file from examples. I created a user group named htaccess and added the users to it. </div><div><br></div><div><div>AuthLDAPBindDN<span class="" style="white-space:pre"> </span>uid=httpbind,cn=sysaccounts,cn=etc,dc=test,dc=com</div><div>AuthLDAPBindPassword<span class="" style="white-space:pre"> XXXXXXXXXX</span></div><div>AuthLDAPGroupAttributeIsDN off</div><div>AuthLDAPUrl ldap://<a href="http://ipa.test.com/dc=test,dc=com?uid">ipa.test.com/dc=test,dc=com?uid</a></div><div>Require ldap-group cn=htaccess,cn=groups,cn=compat,dc=test,dc=com<br></div></div><div><br></div><div>
<p class=""><span class="">My error logs look like</span></p>
<p class=""><span class="">[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1944): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos</span></p>
<p class=""><span class="">[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1032): [client xxx.xxx.xxx.xxx] Using HTTP/server1.test.com@test.COM as server principal for password verification</span></p>
<p class=""><span class="">[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(736): [client xxx.xxx.xxx.xxx] Trying to get TGT for user jsnow@test.COM</span></p>
<p class=""><span class="">[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(646): [client xxx.xxx.xxx.xxx] Trying to verify authenticity of KDC using principal HTTP/server1.test.com@test.COM</span></p>
<p class=""><span class="">[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1111): [client xxx.xxx.xxx.xxx] kerb_authenticate_user_krb5pwd ret=0 user=jsnow@test.COM authtype=Basic</span></p>
<p class=""><span class="">[Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(727): [client xxx.xxx.xxx.xxx] ldap authorize: Creating LDAP req structure</span></p>
<p class=""><span class="">[Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(739): [client xxx.xxx.xxx.xxx] auth_ldap authorise: User DN not found, LDAP: ldap_simple_bind_s() failed</span></p></div><div><br></div><div>I have this working.</div><div><br></div><div><div> <Location /private></div><div><br></div><div> SSLRequireSSL<br></div><div> AuthName "LDAP Authentication"</div><div> AuthType Basic</div><div> AuthzLDAPMethod ldap</div><div> AuthzLDAPServer <a href="http://ipa.test.com">ipa.test.com</a></div><div> AuthzLDAPUserBase cn=users,cn=compat,dc=test,dc=com</div><div> AuthzLDAPUserKey uid</div><div> AuthzLDAPUserScope base</div><div> require valid-user</div><div><br></div><div> </Location></div><div><br></div><div>And this is working</div><div><br></div><div><div> <Location /private></div><div><br></div><div> SSLRequireSSL</div><div> AuthName "KERBEROS Authentication"</div><div> AuthType Kerberos</div><div> KrbServiceName HTTP</div><div> KrbMethodK5Passwd On</div><div> KrbSaveCredentials On</div><div> KrbMethodNegotiate On</div><div> KrbAuthRealms <a href="http://TEST.COM">TEST.COM</a></div><div> Krb5KeyTab /etc/httpd/conf.d/keytab</div><div><br></div><div> AuthLDAPUrl ldap://<a href="http://ipa.test.com/dc=test,dc=com?krbPrincipalName">ipa.test.com/dc=test,dc=com?krbPrincipalName</a></div><div> Require valid-user</div><div><br></div><div> </Location></div></div>-- <br><div class="gmail_signature"><br>=================<br>Matthew Feinberg</div>
</div></div>