I would like achieve authorization on a kerberised web-page.
My idea is to use an LDAP query for group membership, i.e. the uid should be
a member of a certain group in order to serve out pages.

Authentication with Kerberos gssapi works well.
I do not know how to achieve the authorization.

This is what I tried:

<Directory "/usr/share/ipa/ipatest">
 AuthType Kerberos
 AuthName "Kerberos Login"
 KrbMethodNegotiate on
 KrbMethodK5Passwd off
 KrbServiceName HTTP
 KrbAuthRealms USN.TIC
 Krb5KeyTab /etc/httpd/conf/ipa.keytab
 KrbSaveCredentials on
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://localhost/cn=users,cn=accounts,dc=usn,dc=tic?uid
Require ldap-group cn=ipausers,cn=groups,cn=accounts,dc=usn,dc=tic
Require valid-user
Satisfy all


Any help is appreciated.

Rob Visser
Freeipa-users mailing list

Reply via email to