On 05/28/2013 02:21 AM, William Muriithi wrote: > Hello, > > This seem well documented, but I can't seem to get it working. Not sure what > I > am missing.. I will try go over it and hopefully someone may notice why I am > failing > > I got a system enrolled to IPA and its running > > httpd-2.2.15-28.el6.centos.x86_64 > mod_auth_kerb-5.4-9.el6.x86_64 > mod_authnz_external-3.2.6-1.el6.x86_64 > > I initially tried to authenticate against LDAP directly, but it didn't work at > all. I believe FreeIPA only use LDAP for authorization and Kerberos for > authentication.. Is this observation correct? I mean, can one deal with LDAP > directly i this setup.
FreeIPA relies on Kerberos for authentication. Speaking of authorization, i.e. who can do what, we have HBAC enforced by the SSSD. This is however not available for httpd applications at the moment. I would recommend using Kerberos authentication (i.e. mod_auth_kerb) instead of LDAP binds as this will allow you to have Single Sign On (SSO) with your application. > > For Kerbero, went to the IPA server and generated a key tab Note that you can get the keytab also directly on the client, ipa-getkeytab is present in freeipa-client package. > > [root@ipa1-yyz-int wmuriithi]# kinit admin > Password for ad...@example.loc: > [root@ipa1-yyz-int wmuriithi]# ipa service-add > HTTP/git1.example....@example.loc > --------------------------------------------------- > Added service "HTTP/git1.example....@example.loc" > --------------------------------------------------- > Principal: HTTP/git1.example....@example.loc > Managed by: git1.example.com <http://git1.example.com> > [root@ipa1-yyz-int wmuriithi]# ipa-getkeytab -s ipa1-yyz-int.example.loc -p > HTTP/git1.example.com <http://git1.example.com> -k /tmp/httpd.keytab > Keytab successfully retrieved and stored in: /tmp/httpd.keytab > [root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab > email@example.com:/etc/httpd/conf/ > The authenticity of host '10.10.10.50 (<no hostip for proxy command>)' can't > be > established. > RSA key fingerprint is cc:83:9c:95:bf:c6:a0:a4:a0:0a:dd:5a:85:85:bf:1e. > Are you sure you want to continue connecting (yes/no)? yes > Warning: Permanently added '10.10.10.50' (RSA) to the list of known hosts. > firstname.lastname@example.org <mailto:email@example.com>'s password: > [root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab > firstname.lastname@example.org:/etc/httpd/conf/ > > > Then from the IPA client 10.10.10.50, I have this basic change, the bottom > part > is the only pertinent section but posted the whole file in case I have done > something silly somewhere else. > > > <VirtualHost *:80> > ServerName git1.example.com <http://git1.example.com> > ServerAlias git > > > DocumentRoot /var/www/git > <Directory /var/www/git> > Options None > AllowOverride none > Order allow,deny > Allow from all > </Directory> > > SuexecUserGroup gitolite3 gitolite3 > # Set up appropriate GIT environments > SetEnv GIT_PROJECT_ROOT /var/lib/gitolite3/repositories > SetEnv GIT_HTTP_EXPORT_ALL > SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER > > # Set up appropriate gitolite environments > SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite3 > > > ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/ > <http://gitolite-suexec-wrapper.sh/> > ScriptAlias /gitmob/ /var/www/bin/gitolite-suexec-wrapper.sh/ > <http://gitolite-suexec-wrapper.sh/> > > <Location /git> > # SSLRequireSSL > AuthType Kerberos > AuthName "Kerberos Login" > KrbMethodNegotiate On > KrbMethodK5Passwd Off > KrbAuthRealms EXAMPLE.LOC > Krb5KeyTab /etc/httpd/conf/httpd.keytab > require valid-user > </Location> > </VirtualHost> Looks OK. I have a Kerberos authenticated web app running with very similar configuration. > > > > When I test it with a browser, I get the following error > > [Mon May 27 12:55:18 2013] [notice] Apache/2.2.15 (Unix) DAV/2 > mod_auth_kerb/5.4 configured -- resuming normal operations > [Mon May 27 12:55:38 2013] [error] [client 10.10.10.231] user william: > authentication failure for "/git": Password Mismatch > > I can ssh in to the server with the same account password, so log in details > should be fine. All I want to achieve is basic authentication, but I seem to > be missing something, If you want basic authentication (user+password), you would need to set KrbMethodK5Passwd to "On". > > Any pointers? I would also check that KrbAuthRealms contains correct realm. I would also check that /etc/httpd/conf/httpd.keytab is accessible by "apache" user and has the right SELinux context (no AVCs in audit.log). If all this is all right, you can also enable put apache's LogLevel to debug and watch the errors log for hints. HTH, Martin > > Regards, > > William > > > _______________________________________________ > Freeipa-users mailing list > Freeipaemail@example.com > https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users