Kerberized Apache

Ido Levy IDOL at il.ibm.com
Wed Feb 20 12:18:13 EST 2008


Hi Kevin,

Thank you for the help !!
My comments are integrated below

Ido Levy

"Kevin S. Sumner" <ksumner at physics.unc.edu> wrote on 19/02/2008 17:07:02:

> Hi Ido,
>
> The modauthkerb website says you need an extention for "Mozilla" (I'm
> assuming the Mozilla Suite and Firefox) to do ticket-passing
> authentication*.  We have it setup for doing username and password
> authentication right now and it works quite well.  The configuration for
a
> .htaccess is a little strange.  Here's a sample:
>
> [snip]
> AuthType Kerberos
> KrbMethodNegotiate Off
> KrbServiceName HTTP
> Krb5Keytab /path/to/keytab
> AuthName "physics.unc.edu"
> KrbVerifyKDC off
> KrbAuthRealms PHYSICS.UNC.EDU
> require user user1 at PHYSICS.UNC.EDU
> require user user2 at PHYSICS.UNC.EDU
> SSLRequireSSL
> [/snip]
>
> You probably want to turn on the KrbMethodNegotiate.  This is working now

> and has been working for a few years with only minor modifications when
we
> upgrade modauthkerb.  We have also successfully used "require valid-user"

> to do authentication for any user in our realm.

I tried the valid-user value and it works fine and suits my needs.:


> If your .htaccess seems to not be working, you may need to fix your
> AllowOverride line for your DocumentRoot or some directory under that
where
> you want to do authetication.  Once AllowOverride is set correctly, you
> should be able to use .htaccess files without trouble.  Can you use
> "AuthType Basic", or any other AuthType, currently?

Following your advice I set "AllowOverride All AuthConfig" for the
DocumentRoot
and it helps saving the efforts to insert a line for each directory I want
to allow access to.

>
> *NegotiateAuth is here: http://negotiateauth.mozdev.org/ but it looks
like
> Linux/i386 only.
>
> Hope this helps!
> Kevin
> -----
> Kevin Sumner
> ksumner at physics.unc.edu
> (919) 962-6494
> Assistant Systems Administrator
> Physics and Astronomy Networking Infrastructure and Computing
> University of North Carolina at Chapel Hill
>
>
> On Tue, 19 Feb 2008, Ido Levy wrote:
>
> >
> > Hello All,
> >
> > I am looking for a way to enable users to get access to their space
through
> > the web browser.
> > I would like to integrate it with our Kerberized SSO environment as
well.
> > I tried this module http://modauthkerb.sourceforge.net/ but I have
> > encounter some issues:
> >
> > 1) I didn't succeed in configuring SSO
> >
> >      For each access through the web browser I have been asked for user
> > and password although
> >      I already had a valid ticket
> >
> > 2) The .htaccess file must be used to control access to each directory.
> >
> >      For each space I would like to give an access I have to create
> > an .htaccess file and
> >      add an entry in the apcahe configuration file as well
> >
> > Does anyone have experience with this issue ?
> > Are there any other Kerberos modules for apache that better suits my
> > needs ?
> >
> >
> > Thanks,
> >
> > Ido Levy
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> > --
> >
> >




More information about the Kerberos mailing list