Kerberos user authentication in Apache

Question

can anybody recommend some really good resources for how to get Apache authenticating users with Kerberos.

Background reading on Kerberos would also be useful

Thanks

Peter

Answer 1

mod_auth_kerb is a good start: http://modauthkerb.sourceforge.net/. If you need Active Directory support, look here: http://support.microsoft.com/?id=555092.

Answer 2

I found mod_auth_spnego also quite okay, as it can use SSPI on windows instead of requiring MIT Kerberos. mod_spnego

Answer 3

Here's an example using Active Directory as the KDC: http://oslabs.mikro-net.com/krb_apache.html

Answer 4

I liked this article about configuring apache to use Kerberos:

http://www.roguelynn.com/words/apache-kerberos-for-django/

(you may skip parts about django if you are not interested)

EDIT:

Fullblown answer

It is pretty easy to configure apache to use Kerberos authentication.

I am assuming you have correctly configured Kerberos on your machine.

1) Your webserver has to have keytab [1].

Bottom line, your webserver has to be able to read the keytab!

2) You have to have proper httpd module for authentication -- mod_auth_kerb:

LoadModule auth_kerb_module modules/mod_auth_kerb.so

3) Then you have to tell apache about Kerberos:

<Location /> 
    AuthName "Kerberos Authentication -- this will be showed to users via BasicAuth"
    AuthType Kerberos
    KrbMethodNegotiate On
    KrbMethodK5Passwd Off
    # this is the principal from your keytab (you may lose the FQDN part)
    KrbServiceName HTTP/$FQDN
    KrbAuthRealms KERBEROS_DOMAIN
    Krb5KeyTab /path/to/http.keytab
    Require valid-user

    Order Deny,Allow
    Deny from all
</Location>

Then apache will pass the user to your app via REMOTE_USER HTTP header.

And that's it.

I also advice you to turn on debugging logging in apache during setup. Be sure that you have correct time and httpd can read keytab, that's all.

[1] http://kb.iu.edu/data/aumh.html

[2] Main resource: http://www.roguelynn.com/words/apache-kerberos-for-django/