This seem well documented, but I can't seem to get it working.  Not sure
what I am missing..  I will try go over it and hopefully someone may notice
why I am failing

I got a system enrolled to IPA and its running


I initially tried to authenticate against LDAP directly, but it didn't work
at all.  I believe FreeIPA only use LDAP for authorization and Kerberos for
authentication..  Is this observation correct?  I mean, can one deal with
LDAP directly i this setup.

For Kerbero, went to the IPA server and generated a key tab

[root@ipa1-yyz-int wmuriithi]# kinit admin
Password for ad...@example.loc:
[root@ipa1-yyz-int wmuriithi]# ipa service-add
Added service "HTTP/git1.example....@example.loc"
  Principal: HTTP/git1.example....@example.loc
  Managed by: git1.example.com
[root@ipa1-yyz-int wmuriithi]# ipa-getkeytab -s ipa1-yyz-int.example.loc -p
HTTP/git1.example.com -k /tmp/httpd.keytab
Keytab successfully retrieved and stored in: /tmp/httpd.keytab
[root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab root@
The authenticity of host ' (<no hostip for proxy command>)'
can't be established.
RSA key fingerprint is cc:83:9c:95:bf:c6:a0:a4:a0:0a:dd:5a:85:85:bf:1e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
root@'s password:
[root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab root@

Then from the IPA client, I have this basic change, the bottom
part is the only pertinent section but posted the whole file in case I have
done something silly somewhere else.

<VirtualHost *:80>
    ServerName        git1.example.com
    ServerAlias       git

    DocumentRoot /var/www/git
    <Directory /var/www/git>
        Options       None
        AllowOverride none
        Order         allow,deny
        Allow         from all

    SuexecUserGroup gitolite3 gitolite3
    # Set up appropriate GIT environments
    SetEnv GIT_PROJECT_ROOT /var/lib/gitolite3/repositories

    # Set up appropriate gitolite environments
    SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite3

    ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/
    ScriptAlias /gitmob/ /var/www/bin/gitolite-suexec-wrapper.sh/

<Location /git>
#  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbAuthRealms EXAMPLE.LOC
  Krb5KeyTab /etc/httpd/conf/httpd.keytab
  require valid-user

 When I test it with a browser, I get the following error

[Mon May 27 12:55:18 2013] [notice] Apache/2.2.15 (Unix) DAV/2
mod_auth_kerb/5.4 configured -- resuming normal operations
[Mon May 27 12:55:38 2013] [error] [client] user william:
authentication failure for "/git": Password Mismatch

I can ssh in to the server with the same account password, so log in
details should be fine.  All I want to achieve is basic authentication, but
I seem to be missing something,

Any pointers?


Freeipa-users mailing list

Reply via email to