Hello, This seem well documented, but I can't seem to get it working. Not sure what I am missing.. I will try go over it and hopefully someone may notice why I am failing
I got a system enrolled to IPA and its running httpd-2.2.15-28.el6.centos.x86_64 mod_auth_kerb-5.4-9.el6.x86_64 mod_authnz_external-3.2.6-1.el6.x86_64 I initially tried to authenticate against LDAP directly, but it didn't work at all. I believe FreeIPA only use LDAP for authorization and Kerberos for authentication.. Is this observation correct? I mean, can one deal with LDAP directly i this setup. For Kerbero, went to the IPA server and generated a key tab [root@ipa1-yyz-int wmuriithi]# kinit admin Password for ad...@example.loc: [root@ipa1-yyz-int wmuriithi]# ipa service-add HTTP/git1.example....@example.loc --------------------------------------------------- Added service "HTTP/git1.example....@example.loc" --------------------------------------------------- Principal: HTTP/git1.example....@example.loc Managed by: git1.example.com [root@ipa1-yyz-int wmuriithi]# ipa-getkeytab -s ipa1-yyz-int.example.loc -p HTTP/git1.example.com -k /tmp/httpd.keytab Keytab successfully retrieved and stored in: /tmp/httpd.keytab [root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab root@10.10.10.50: /etc/httpd/conf/ The authenticity of host '10.10.10.50 (<no hostip for proxy command>)' can't be established. RSA key fingerprint is cc:83:9c:95:bf:c6:a0:a4:a0:0a:dd:5a:85:85:bf:1e. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.10.10.50' (RSA) to the list of known hosts. root@10.10.10.50's password: [root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab root@10.10.10.50: /etc/httpd/conf/ Then from the IPA client 10.10.10.50, I have this basic change, the bottom part is the only pertinent section but posted the whole file in case I have done something silly somewhere else. <VirtualHost *:80> ServerName git1.example.com ServerAlias git DocumentRoot /var/www/git <Directory /var/www/git> Options None AllowOverride none Order allow,deny Allow from all </Directory> SuexecUserGroup gitolite3 gitolite3 # Set up appropriate GIT environments SetEnv GIT_PROJECT_ROOT /var/lib/gitolite3/repositories SetEnv GIT_HTTP_EXPORT_ALL SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER # Set up appropriate gitolite environments SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite3 ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/ ScriptAlias /gitmob/ /var/www/bin/gitolite-suexec-wrapper.sh/ <Location /git> # SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.LOC Krb5KeyTab /etc/httpd/conf/httpd.keytab require valid-user </Location> </VirtualHost> When I test it with a browser, I get the following error [Mon May 27 12:55:18 2013] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 configured -- resuming normal operations [Mon May 27 12:55:38 2013] [error] [client 10.10.10.231] user william: authentication failure for "/git": Password Mismatch I can ssh in to the server with the same account password, so log in details should be fine. All I want to achieve is basic authentication, but I seem to be missing something, Any pointers? Regards, William
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users