Rob Visser wrote:

I would like achieve authorization on a kerberised web-page.
My idea is to use an LDAP query for group membership, i.e. the uid should be a member of a certain group in order to serve out pages.

Authentication with Kerberos gssapi works well.
I do not know how to achieve the authorization.

This is what I tried:

<Directory "/usr/share/ipa/ipatest">
 AuthType Kerberos
 AuthName "Kerberos Login"
 KrbMethodNegotiate on
 KrbMethodK5Passwd off
 KrbServiceName HTTP
 KrbAuthRealms USN.TIC
 Krb5KeyTab /etc/httpd/conf/ipa.keytab
 KrbSaveCredentials on
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://localhost/cn=users,cn=accounts,dc=usn,dc=tic?uid
Require ldap-group cn=ipausers,cn=groups,cn=accounts,dc=usn,dc=tic
Require valid-user
Satisfy all


Any help is appreciated.

You almost have it. With kerberos, REMOTE_USER is going to be set to the principal name ( You need to tweak your AuthLDAPUrl to use krbprincipalname instead of uid and it should work.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Freeipa-users mailing list

Reply via email to