On 05/28/2013 02:21 AM, William Muriithi wrote:
> Hello,
> This seem well documented, but I can't seem to get it working.  Not sure what 
> I
> am missing..  I will try go over it and hopefully someone may notice why I am
> failing
> I got a system enrolled to IPA and its running
> httpd-2.2.15-28.el6.centos.x86_64
> mod_auth_kerb-5.4-9.el6.x86_64
> mod_authnz_external-3.2.6-1.el6.x86_64
> I initially tried to authenticate against LDAP directly, but it didn't work at
> all.  I believe FreeIPA only use LDAP for authorization and Kerberos for
> authentication..  Is this observation correct?  I mean, can one deal with LDAP
> directly i this setup.

FreeIPA relies on Kerberos for authentication. Speaking of authorization, i.e.
who can do what, we have HBAC enforced by the SSSD. This is however not
available for httpd applications at the moment.

I would recommend using Kerberos authentication (i.e. mod_auth_kerb) instead of
LDAP binds as this will allow you to have Single Sign On (SSO) with your

> For Kerbero, went to the IPA server and generated a key tab

Note that you can get the keytab also directly on the client, ipa-getkeytab is
present in freeipa-client package.

> [root@ipa1-yyz-int wmuriithi]# kinit admin
> Password for ad...@example.loc:
> [root@ipa1-yyz-int wmuriithi]# ipa service-add 
> HTTP/git1.example....@example.loc
> ---------------------------------------------------
> Added service "HTTP/git1.example....@example.loc"
> ---------------------------------------------------
>   Principal: HTTP/git1.example....@example.loc
>   Managed by: git1.example.com <http://git1.example.com>
> [root@ipa1-yyz-int wmuriithi]# ipa-getkeytab -s ipa1-yyz-int.example.loc -p
> HTTP/git1.example.com <http://git1.example.com> -k /tmp/httpd.keytab
> Keytab successfully retrieved and stored in: /tmp/httpd.keytab
> [root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab
> root@
> The authenticity of host ' (<no hostip for proxy command>)' can't 
> be
> established.
> RSA key fingerprint is cc:83:9c:95:bf:c6:a0:a4:a0:0a:dd:5a:85:85:bf:1e.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added '' (RSA) to the list of known hosts.
> root@ <mailto:root@>'s password:
> [root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab
> root@
> Then from the IPA client, I have this basic change, the bottom 
> part
> is the only pertinent section but posted the whole file in case I have done
> something silly somewhere else. 
> <VirtualHost *:80>
>     ServerName        git1.example.com <http://git1.example.com>
>     ServerAlias       git
>     DocumentRoot /var/www/git
>     <Directory /var/www/git>
>         Options       None
>         AllowOverride none
>         Order         allow,deny
>         Allow         from all
>     </Directory>
>     SuexecUserGroup gitolite3 gitolite3
>     # Set up appropriate GIT environments
>     SetEnv GIT_PROJECT_ROOT /var/lib/gitolite3/repositories
>     # Set up appropriate gitolite environments
>     SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite3
>     ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/
> <http://gitolite-suexec-wrapper.sh/>
>     ScriptAlias /gitmob/ /var/www/bin/gitolite-suexec-wrapper.sh/
> <http://gitolite-suexec-wrapper.sh/>
> <Location /git>
> #  SSLRequireSSL
>   AuthType Kerberos
>   AuthName "Kerberos Login"
>   KrbMethodNegotiate On
>   KrbMethodK5Passwd Off
>   KrbAuthRealms EXAMPLE.LOC
>   Krb5KeyTab /etc/httpd/conf/httpd.keytab
>   require valid-user
> </Location>
> </VirtualHost>

Looks OK. I have a Kerberos authenticated web app running with very similar

>  When I test it with a browser, I get the following error
> [Mon May 27 12:55:18 2013] [notice] Apache/2.2.15 (Unix) DAV/2
> mod_auth_kerb/5.4 configured -- resuming normal operations
> [Mon May 27 12:55:38 2013] [error] [client] user william:
> authentication failure for "/git": Password Mismatch
> I can ssh in to the server with the same account password, so log in details
> should be fine.  All I want to achieve is basic authentication, but I seem to
> be missing something,

If you want basic authentication (user+password), you would need to set
KrbMethodK5Passwd to "On".

> Any pointers?

I would also check that KrbAuthRealms contains correct realm. I would also
check that /etc/httpd/conf/httpd.keytab is accessible by "apache" user and has
the right SELinux context (no AVCs in audit.log).

If all this is all right, you can also enable put apache's LogLevel to debug
and watch the errors log for hints.


> Regards,
> William
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Freeipa-users mailing list

Reply via email to