Child pages
  • Using mod_auth_kerb with Apache against CIT/AD
Skip to end of metadata
Go to start of metadata

Install the module via yum (or apt-get):

yum install mod_auth_kerb
(Restart Apache after this)

Make sure that your system is joined to the domain (assumes winbind join):

/usr/bin/net ads join createcomputer=/Divisions/ACOM/Computers/FL0/Samba -UACDAdmin%xxxx.xxxx -S citdcfl02.cit.ucar.edu


Create the required keytab entries in /etc/krb5.keytab:

net ads keytab create -UACDAdmin%xxxx.xxxx
net ads keytab add HTTP -UACDAdmin%xxxx.xxxx
chown apache.root /etc/krb5.keytab

In htaccess (or <Location>, etc.):

    AuthName "Please enter your CIT Password to continue"
AuthType Kerberos Krb5Keytab /etc/krb5.keytab KrbAuthRealms CIT.UCAR.EDU KrbMethodNegotiate On KrbMethodK5Passwd On require valid-user

 

If you want to further limit authentication to LDAP groups in AD then the following is working for ACOM:

 

AuthType Kerberos
Krb5Keytab  /etc/krb5.keytab
KrbServiceName HTTP
KrbAuthRealms CIT.UCAR.EDU
KrbMethodK5Passwd On
KrbLocalUserMapping on
KrbSaveCredentials on

AuthLDAPBindDN "acomLDAPuser@cit.ucar.edu"
AuthLDAPBindPassword "XXXXXXXXXXXXXXXXXX"
AuthLDAPURL "ldap://128.117.234.67/ou=Divisions,dc=cit,dc=ucar,dc=edu?uid"
require ldap-group cn=ACOM-ACTIVE,ou=Groups,ou=ACOM,ou=Divisions,dc=cit,dc=ucar,DC=edu

 

This example can be placed into a .htaccess file (or <Location>/<Directory> stanza) to allow access ony to the specified group.

 

  • No labels