On Fri, Jun 26, 2015 at 09:19:51PM -0400, Dmitri Pal wrote: > On 05/19/2015 05:29 AM, thewebbie wrote: > > > >My requirements is to replace dozens of htaccess folders on one server. > >Each folder requiring a user group. So Host based will not work in this > >case > > Was this resolved in some way?
I don't think it was. I believe the OP is following http://www.freeipa.org/page/Apache_Group_Based_Authorization which looks a bit outdated. What we probably should decide is, what group-based access control do we want to suggest to people who cannot use HBAC and want to get the groups. On Mon, May 18, 2015 at 12:38:47PM -0400, thewebbie wrote: > > I have been attempting to use my 4.1.4 FreeIPA server to authenticate > folders on a web server as a replacement for the normal htaccess feature. I > do require group authentication. I have tried just about online example and > have only been able to get basic ldap and basic kerbos authentication. How > do I go about getting group based authentication working. > > I have tried to add the following to either example below and no luck. I > added the httpbind user from an ldif file from examples. I created a user > group named htaccess and added the users to it. > > AuthLDAPBindDN uid=httpbind,cn=sysaccounts,cn=etc,dc=test,dc=com > AuthLDAPBindPassword XXXXXXXXXX > AuthLDAPGroupAttributeIsDN off > AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?uid [....] > [Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(739): [client > xxx.xxx.xxx.xxx] auth_ldap authorise: User DN not found, LDAP: > ldap_simple_bind_s() failed Are you able to able to bind with that DN and password using for example ldapsearch? > I have this working. > > <Location /private> > > SSLRequireSSL > AuthName "LDAP Authentication" > AuthType Basic > AuthzLDAPMethod ldap > AuthzLDAPServer ipa.test.com > AuthzLDAPUserBase cn=users,cn=compat,dc=test,dc=com > AuthzLDAPUserKey uid > AuthzLDAPUserScope base > require valid-user > </Location> > > And this is working > > <Location /private> > > SSLRequireSSL > AuthName "KERBEROS Authentication" > AuthType Kerberos > KrbServiceName HTTP > KrbMethodK5Passwd On > KrbSaveCredentials On > KrbMethodNegotiate On > KrbAuthRealms TEST.COM > Krb5KeyTab /etc/httpd/conf.d/keytab > > AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?krbPrincipalName > Require valid-user I wonder -- with SSSD configured on the machine -- doesn't require group <the-group-name> actually work? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project