I have been attempting to use my 4.1.4  FreeIPA server to authenticate
folders on a web server as a replacement for the normal htaccess feature. I
do require group authentication. I have tried just about online example and
have only been able to get basic ldap and basic kerbos authentication.  How
do I go about getting group based authentication working.

I have tried to add the following to either example below and no luck. I
added the httpbind user from an ldif file from examples. I created a user
group named htaccess and added the users to it.

AuthLDAPBindDN uid=httpbind,cn=sysaccounts,cn=etc,dc=test,dc=com
AuthLDAPGroupAttributeIsDN off
AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?uid
Require ldap-group cn=htaccess,cn=groups,cn=compat,dc=test,dc=com

My error logs look like

[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1944): [client
xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos

[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1032): [client
xxx.xxx.xxx.xxx] Using HTTP/server1.test....@test.com as server principal
for password verification

[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(736): [client
xxx.xxx.xxx.xxx] Trying to get TGT for user js...@test.com

[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(646): [client
xxx.xxx.xxx.xxx] Trying to verify authenticity of KDC using principal

[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1111): [client
xxx.xxx.xxx.xxx] kerb_authenticate_user_krb5pwd ret=0 user=js...@test.com

[Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(727): [client
xxx.xxx.xxx.xxx] ldap authorize: Creating LDAP req structure

[Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(739): [client
xxx.xxx.xxx.xxx] auth_ldap authorise: User DN not found, LDAP:
ldap_simple_bind_s() failed

I have this working.

 <Location /private>

    AuthName "LDAP Authentication"
    AuthType Basic
    AuthzLDAPMethod ldap
    AuthzLDAPServer ipa.test.com
    AuthzLDAPUserBase cn=users,cn=compat,dc=test,dc=com
    AuthzLDAPUserKey uid
    AuthzLDAPUserScope base
    require valid-user


And this is working

 <Location /private>

    AuthName "KERBEROS Authentication"
    AuthType Kerberos
    KrbServiceName HTTP
    KrbMethodK5Passwd On
    KrbSaveCredentials On
    KrbMethodNegotiate On
    KrbAuthRealms TEST.COM
    Krb5KeyTab /etc/httpd/conf.d/keytab

    AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?krbPrincipalName
    Require valid-user


Matthew Feinberg
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to