Does anyone have any thoughts, suggestions, pointers, tips or references on
this issue?
Thanks!
On Mon, September 24, 2007 8:44 pm, Joel Johnson wrote:
> I'm setting up a site using Apache httpd 2.2 and an existing Kerberos
> infrastructure and would like to optionally allow users to have single
> sign-on with an existing Kerberos ticket. I'm using the Debian packaged [1]
> mod_auth_kerb [2] to accomplish the authentication which is all working
> smoothly.
>
> The problem I'm running into is in designating the authentication as
> *optional*. For example, I'd like to setup a wiki at wiki.and have the
> contents publicly accessible, but require authentication for edits. I'd like
> to first offer Kerberos authentication, but if that fails than still allow
> access. The application would then check REMOTE_USER and honor its value
> if set, or fallback to internal authentication if desired. This will also
> allow me to configure the server such that if a user is local and has
> Kerberos
> credentials they are seamlessly authenticated, but if not than I can have a
> login screen authenticating internally against the same source. There are
> several different ways that I will use this, but they all rely on optional
> authentication support.
>
> The working exclusively-Kerberos relevant config is simply:
> AuthType Kerberos
> require valid-user
>
> I've tried using a "Satisfy any" directive as follows, but the "Allow from
> all" seems to take precedence over any other method: AuthType Kerberos
> require valid-user Allow from all
> Satisfy any
>
>
> I've also considered using a "KrbAuthoritative Off" directive to allow
> checking to fallthrough to the next module, but I can't find an
> authentication module with "accept all" semantics.
>
> One option does look promising, but it only available in trunk/2.3 which I
> can't switch to for this project, but the following should work (corrections
> on assumption are welcome) by using two authorization providers with a
> single authentication method: AuthType Kerberos
> <SatisfyOne>
> Require valid-user
> Require all allowed
> </SatisfyOne>
>
>
> My goals are that I'd like the location to be available to all, and if
> authorized that is an extra bonus and allows seamlessness, customized content
> and others, but it should *not* be a requirement. Additionally, I want the
> content to be available under a single canonical URI which will be
> well-known, so symlinking directories with different <Location>s is not an
> option.
>
> If I've missed something simple, I'd love to have it pointed out, or if
> there is a best practice for this sort of setup please share!
>
>
> Many thanks for any guidance or pointers!
>
>
>
> The script that I'm using to do basic testing on the authentication is
> (basically, I also have some logic to remove the Kerberos realm that isn't
> included):
>
>
> <? if (empty($_SERVER['REMOTE_USER'])) {
> echo "You weren't automatically logged in, we'll have to do it locally."; }
> else { echo "Congratulations $username, you've logged on successfully!"; echo
> "REMOTE_USER = {$_SERVER['REMOTE_USER']} <br>";
> }
> ?>
>
>
> [1] http://packages.debian.org/etch/libapache2-mod-auth-kerb
> [2] http://modauthkerb.sourceforge.net/
>
>
> --
> Joel Johnson
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|