I'm setting up a site using Apache httpd 2.2 and an existing Kerberos
infrastructure and would like to optionally allow users to have single
sign-on with an existing Kerberos ticket. I'm using the Debian packaged [1]
mod_auth_kerb [2] to accomplish the authentication which is all working
smoothly.
The problem I'm running into is in designating the authentication as
*optional*. For example, I'd like to setup a wiki at wiki.and have the
contents publicly accessible, but require authentication for edits. I'd like
to first offer Kerberos authentication, but if that fails than still allow
access. The application would then check REMOTE_USER and honor its value if
set, or fallback to internal authentication if desired. This will also allow
me to configure the server such that if a user is local and has Kerberos
credentials they are seamlessly authenticated, but if not than I can have a
login screen authenticating internally against the same source. There are
several different ways that I will use this, but they all rely on optional
authentication support.
The working exclusively-Kerberos relevant config is simply:
AuthType Kerberos
require valid-user
I've tried using a "Satisfy any" directive as follows, but the "Allow from
all" seems to take precedence over any other method:
AuthType Kerberos
require valid-user
Allow from all
Satisfy any
I've also considered using a "KrbAuthoritative Off" directive to allow
checking to fallthrough to the next module, but I can't find an
authentication module with "accept all" semantics.
One option does look promising, but it only available in trunk/2.3 which I
can't switch to for this project, but the following should work (corrections
on assumption are welcome) by using two authorization providers with a
single authentication method:
AuthType Kerberos
<SatisfyOne>
Require valid-user
Require all allowed
</SatisfyOne>
My goals are that I'd like the location to be available to all, and if
authorized that is an extra bonus and allows seamlessness, customized
content and others, but it should *not* be a requirement. Additionally, I
want the content to be available under a single canonical URI which will be
well-known, so symlinking directories with different <Location>s is not an
option.
If I've missed something simple, I'd love to have it pointed out, or if
there is a best practice for this sort of setup please share!
Many thanks for any guidance or pointers!
The script that I'm using to do basic testing on the authentication is
(basically, I also have some logic to remove the Kerberos realm that isn't
included):
<? if (empty($_SERVER['REMOTE_USER'])) {
echo "You weren't automatically logged in, we'll have to do it locally.";
} else {
echo "Congratulations $username, you've logged on successfully!";
echo "REMOTE_USER = {$_SERVER['REMOTE_USER']} <br>";
}
?>
[1] http://packages.debian.org/etch/libapache2-mod-auth-kerb
[2] http://modauthkerb.sourceforge.net/
--
Joel Johnson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|