Kerberos user authentication in Apache
-
09-06-2019 - |
Question
can anybody recommend some really good resources for how to get Apache authenticating users with Kerberos.
Background reading on Kerberos would also be useful
Thanks
Peter
Solution
mod_auth_kerb is a good start: http://modauthkerb.sourceforge.net/. If you need Active Directory support, look here: http://support.microsoft.com/?id=555092.
OTHER TIPS
I found mod_auth_spnego also quite okay, as it can use SSPI on windows instead of requiring MIT Kerberos. mod_spnego
Here's an example using Active Directory as the KDC: http://oslabs.mikro-net.com/krb_apache.html
I liked this article about configuring apache to use Kerberos:
http://www.roguelynn.com/words/apache-kerberos-for-django/
(you may skip parts about django if you are not interested)
EDIT:
Fullblown answer
It is pretty easy to configure apache to use Kerberos authentication.
I am assuming you have correctly configured Kerberos on your machine.
1) Your webserver has to have keytab [1].
Bottom line, your webserver has to be able to read the keytab!
2) You have to have proper httpd module for authentication -- mod_auth_kerb
:
LoadModule auth_kerb_module modules/mod_auth_kerb.so
3) Then you have to tell apache about Kerberos:
<Location />
AuthName "Kerberos Authentication -- this will be showed to users via BasicAuth"
AuthType Kerberos
KrbMethodNegotiate On
KrbMethodK5Passwd Off
# this is the principal from your keytab (you may lose the FQDN part)
KrbServiceName HTTP/$FQDN
KrbAuthRealms KERBEROS_DOMAIN
Krb5KeyTab /path/to/http.keytab
Require valid-user
Order Deny,Allow
Deny from all
</Location>
Then apache will pass the user to your app via REMOTE_USER
HTTP header.
And that's it.
I also advice you to turn on debugging logging in apache during setup. Be sure that you have correct time and httpd can read keytab, that's all.
[1] http://kb.iu.edu/data/aumh.html
[2] Main resource: http://www.roguelynn.com/words/apache-kerberos-for-django/