How to kerberized Apache
Ido Levy
IDOL at il.ibm.com
Thu Feb 21 09:33:03 EST 2008
Hello All,
Following my post to the list and the great help I got from members cc to
this email,
I would like to share the way to kerberized apache.
Browser Settings
In my case it is firefox 2.0.0.9
Using the config:about utility of the firefox browser I set the following
parameters:
network.negotiate-auth.delegation-uris = https://,http://
network.negotiate-auth.trusted-uris = https://,http://
Note: this settings are done per user, these parameters are considered
private.
Client Settings
The machine you login in to needs to be part of your kerberos environment
and the user must have the TGT ticket
Web Server Settings
In my case it is httpd-2.2.3-11.el5 running on RHEL 5.1 64 bit
architecture.
1) Create HTTP service principal for the web server machine.
2) Create keytab file containing the HTTP service principal and locate the
file under the web server
configuration directory. Make sure the apache user has the right
privileges for this file.
3) Compile the module mode_auth_kerb.
Detailed instructions can be found at
http://modauthkerb.sourceforge.net/configure.html
4) Load the module and set some basic configuration in apache configuration
file
/etc/httpd/conf/httpd.conf
LoadModule auth_kerb_module modules/mod_auth_kerb.so
Under the RootDirectory or any other directory you would like,
set the following:
<Directory "/var/www/html">
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms <REALM>
KrbServiceName HTTP
Krb5Keytab /etc/httpd/conf.d/krb5.http
KrbMethodK5Passwd on
KrbSaveCredentials on
require valid-user
AllowOverride All AuthConfig
Order allow,deny
Allow from all
</Directory>
5) Restart the web server
service httpd restart
6) In order to restrict access to specific directories you can use
the .htaccess file with the following format:
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms REALM
KrbMethodK5Passwd on
require user <USER1>@REALM <USER2>@REALM
Just place the file under the relevant directory.
Best Regards,
Ido Levy
More information about the Kerberos
mailing list