Hi Joshua, It looks like some email to the list got delayed, and I think we might have talked about this in IRC, but I'll reply here too for the record. >From your pastebin I see you have this line:
KrbMethodK5Passwd on mod_auth_kerb has two modes of operation: Negotiate authentication and Basic authentication. Negotiate authentication uses GSSAPI and a Kerberos TGT to do single-sign-on to Apache. Basic auth is the password prompt. The Kerberos authentication support in Gitorious assumes that you're using Negotiate HTTP authentication (SSO). Theoretically Gitorious' KerberosAuthentication module could be modified to handle Basic HTTP auth as well, but there are a couple reasons why I didn't implement that. One reason is simply practical: I don't know precisely what the HTTP header looks on mod_passenger's side in order to implement in Gitorious. I guess that could be solved easily enough if someone wanted to inspect the env array for the appropriate data. Another reason I didn't implement it is that it doesn't exactly fit in the KerberosAuthentication module: if we are checking for Basic HTTP auth, we should probably move that code out of the KerberosAuthentication module and into its own Gitorious::Authentication::BasicHTTPAuthentication module. Again, this could be solved if it is important enough to someone with some coding skills and time. The last reasons are more personal opinions. I have doubts that HTTP Basic authentication is a good thing to implement in an enterprise environment. When we do that as system administrators, we're encouraging users' habits of typing important passwords into dialog boxes that have almost no UI context to indicate which system is doing the authentication. It's easy for any site to pop up a Basic authentication prompt, and users could get into the habit of giving away Kerberos passwords to attackers' Basic HTTP prompts. If I may make a recommendation, I encourage you to set up Negotiate authentication on this server (use a HTTP/fqdn.example.com keytab). I've found that there will always be those users out there who do not have their Kerberos client or browser properly configured for SSO, so you probably still want to give them the option to authenticate with a password. For those cases, you can activate the LDAPAuthentication module as well as the KerberosAuthentication one. This will let users either type their FreeIPA password into the login form, or else allow them to click through and use Kerberos for SSO. - Ken On Wed, Feb 20, 2013 at 11:46 AM, <[email protected]> wrote: > Hello, again. > > I'm still working toward authenticating Gitorious users against my existing > FreeIPA v2 install. I began the LDAP auth procedure, but when I saw the > Kerberos stuff in there, I started going that route, because I'm more > comfortable with Kerberos than I am with LDAP. > > At the moment, my logins silently fail. The browser http auth box pops up, > and when I type in my Kerberos credentials properly, it goes away (trying a > non existent user/pass combo causes the box to continue popping up). Once > the box success (apache2 auth) happens, I'm brought back to the Gitorious > sign-in page and 'Gitorious could not verify your browser's credentials' is > displayed. > > I recursively grep'ed for my user name in the tree of the Gitorious install, > which is the latest Bitnami (self contained) version, but turned up no > errors. Apache access_log show the post-auth GET to be successful, and the > error_log shows nothing for this transaction. > > Is there a place I'm missing to look for error output? The user does not > yet exist in Gitorious; and I also tried adding a new Kerberos user to test, > to no avail. > > Here is some background info from the command line. I scrubbed the file of > identifying markers where EXAMPLE.COM and such is in the following file, but > I am using actual values in production. > > http://pastebin.com/Dy3umzAj > > Thanks! > > -Joshua > -- -- To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] --- You received this message because you are subscribed to the Google Groups "Gitorious" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
