We are planning to configure Kerberos with Apache HTTPD Server 2.4.37 installed on RHEL 8.5. As per RHEL, mod_auth_kerb module has been deprecated and has been replaced by mod_auth_gssapi. We have Virtual host configuration of Kerberos(from old setup) but don't know what will be the equivalent settings to do with gssapi module.
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule proxy_ajp_module /usr/lib/apache2/modules/mod_proxy_ajp.so
LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so
<VirtualHost *:10080>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
ServerName mywebserver.intdomain.local
<Location />
Order allow,deny
Allow from all
AuthType Kerberos
KrbServiceName HTTP/mywebserver.intdomain.local@INTDOMAIN.LOCAL
AuthName "Domain login"
KrbAuthRealms INTDOMAIN.LOCAL
Krb5KeyTab /etc/apache2/kerberos.keytab
require valid-user
KrbMethodNegotiate On
KrbMethodK5Passwd Off
#KrbLocalUserMapping On
# Below directives put logon name of authenticated user into http header X-User-Global-ID
RequestHeader unset X-User-Global-ID
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule /.* - [E=RU:%1,L,NS]
RequestHeader set X-User-Global-ID %{RU}e
# Remove domain suffix to get the simple logon name
# RequestHeader edit X-User-Global-ID "@INTDOMAIN.LOCAL$" ""
</Location>
</VirtualHost>
Listen 10080
Cheers
-Vicky
