Hi.
I am trying to get mod_auth_kerb and mod_authnz_ldap to work together
; in such a way that it first tries to authenticate the user using
Kerberos, and if mod_auth_kerb can not authenticate the user, then it
tries using mod_authnz_ldap.
That way I could provide password protected site, where if people have
setup kerberos, they get a single-sign-on experience, if not , they
get the usual prompt for a username and password.
mod_auth_kerb has an option so it's not authoritative ( KrbAuthoritative off).
When trying to login using Google Chrome (which doesn't support
Kerberos), I get prompted for a user id and password. Which then fails
with an error 401.
And tracing the mod_auth_kerb module code, as expected, it returns
DECLINED if it can't authenticate the user.
>From then, the theory would be that it is passed on to lower
authentication module.
[Tue Sep 21 16:47:01 2010] [debug] src/mod_auth_kerb.c(1667): [client
192.168.0.9] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Tue Sep 21 16:47:01 2010] [debug] src/mod_auth_kerb.c(1001): [client
192.168.0.9] Using Any/server4-2.private.domain.com@xxxxxxxxxxxx as
server principal for password verification
[Tue Sep 21 16:47:01 2010] [debug] src/mod_auth_kerb.c(698): [client
192.168.0.9] Trying to get TGT for user avenardj@xxxxxxxxxxxx
[Tue Sep 21 16:47:01 2010] [error] [client 192.168.0.9]
krb5_get_init_creds_password() failed: Client not found in Kerberos
database
[Tue Sep 21 16:47:01 2010] [debug] src/mod_auth_kerb.c(1080): [client
192.168.0.9] kerb_authenticate_user_krb5pwd ret=-1 user=(NULL)
authtype=(NULL)
[Tue Sep 21 16:47:01 2010] [error] [client 192.168.0.9] access to
/test/ failed, reason: verification of user id '<null>' not configured
That last line shows that the module that get used after is
mod_authn_default (from searching in the source code)
Alias /test /usr/local/www/test
<Directory /usr/local/www/test>
SSLRequireSSL
AuthLDAPURL ldaps://blah?uid
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
AuthLDAPRemoteUserAttribute uid
AuthLDAPRemoteFirstUserAttribute on
AuthzLDAPRemoteUserAttribute on
AllowOverride all
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms M.DOMAIN.COM
Krb5KeyTab /usr/local/etc/apache22/server4.keytab
KrbServiceName Any
KrbLocalUserMapping on
KrbAuthoritative off
AuthBasicProvider ldap
require ldap-user uid=jeanyves_avenard,cn=users,dc=m,dc=company,dc=com)
Order allow,deny
Allow from all
</Directory>
The module loading order in httpd.conf is:
LoadModule authnz_ldap_module libexec/apache22/mod_authnz_ldap.so
LoadModule auth_kerb_module libexec/apache22/mod_auth_kerb.so
So mod_authnz_ldap has a lower priority than mod_auth_kerb
If I am to use Kerberos it works fine, and if I change AuthType
Kerberos into AuthType Basic ; then login using the ldap user
credentials is fine...
Is there anything I am missing ?
How could I trace the order in which modules are called for authentication?
Thanks
Jean-Yves
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|