Re: [Freeipa-users] Apache htaccess replacement

2015-07-09 Thread Jan Pazdziora 
On Fri, Jun 26, 2015 at 09:19:51PM -0400, Dmitri Pal wrote:
> On 05/19/2015 05:29 AM, thewebbie wrote:
> >
> >My requirements is to replace dozens of htaccess folders on one server.
> >Each folder requiring a user group. So Host based will not work in this
> >case
> 
> Was this resolved in some way?

I don't think it was. I believe the OP is following

http://www.freeipa.org/page/Apache_Group_Based_Authorization

which looks a bit outdated. What we probably should decide is, what
group-based access control do we want to suggest to people who cannot
use HBAC and want to get the groups.

On Mon, May 18, 2015 at 12:38:47PM -0400, thewebbie wrote:
> 
> I have been attempting to use my 4.1.4  FreeIPA server to authenticate
> folders on a web server as a replacement for the normal htaccess feature. I
> do require group authentication. I have tried just about online example and
> have only been able to get basic ldap and basic kerbos authentication.  How
> do I go about getting group based authentication working.
> 
> I have tried to add the following to either example below and no luck. I
> added the httpbind user from an ldif file from examples. I created a user
> group named htaccess and added the users to it.
> 
> AuthLDAPBindDN uid=httpbind,cn=sysaccounts,cn=etc,dc=test,dc=com
> AuthLDAPBindPassword XX
> AuthLDAPGroupAttributeIsDN off
> AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?uid

[]

> [Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(739): [client
> xxx.xxx.xxx.xxx] auth_ldap authorise: User DN not found, LDAP:
> ldap_simple_bind_s() failed

Are you able to able to bind with that DN and password using for
example ldapsearch?

> I have this working.
> 
>  
> 
> SSLRequireSSL
> AuthName "LDAP Authentication"
> AuthType Basic
> AuthzLDAPMethod ldap
> AuthzLDAPServer ipa.test.com
> AuthzLDAPUserBase cn=users,cn=compat,dc=test,dc=com
> AuthzLDAPUserKey uid
> AuthzLDAPUserScope base
> require valid-user
>
> 
> And this is working
> 
>  
> 
> SSLRequireSSL
> AuthName "KERBEROS Authentication"
> AuthType Kerberos
> KrbServiceName HTTP
> KrbMethodK5Passwd On
> KrbSaveCredentials On
> KrbMethodNegotiate On
> KrbAuthRealms TEST.COM
> Krb5KeyTab /etc/httpd/conf.d/keytab
> 
> AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?krbPrincipalName
> Require valid-user

I wonder -- with SSSD configured on the machine -- doesn't

require group 

actually work?

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Apache htaccess replacement

2015-06-26 Thread Dmitri Pal 

On 05/19/2015 05:29 AM, thewebbie wrote:


My requirements is to replace dozens of htaccess folders on one 
server. Each folder requiring a user group. So Host based will not 
work in this case


Matthew Feinberg

On May 19, 2015 4:03 AM, "Jan Pazdziora" > wrote:


On Mon, May 18, 2015 at 12:38:47PM -0400, thewebbie wrote:
>
> I have been attempting to use my 4.1.4  FreeIPA server to
authenticate
> folders on a web server as a replacement for the normal htaccess
feature. I
> do require group authentication. I have tried just about online
example and
> have only been able to get basic ldap and basic kerbos
authentication.  How
> do I go about getting group based authentication working.

If you do not insist on group based authentication but can use
the more generic host-based access control (which you should be able
to do because you have IPA), you can use mod_authnz_pam:

http://www.adelton.com/apache/mod_authnz_pam/

http://www.freeipa.org/page/Web_App_Authentication

The module is packaged in Fedoras, RHEL, and CentOS.

--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management
Engineering, Red Hat






Was this resolved in some way?


--
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Apache htaccess replacement

2015-05-19 Thread thewebbie 
My requirements is to replace dozens of htaccess folders on one server.
Each folder requiring a user group. So Host based will not work in this case

Matthew Feinberg
On May 19, 2015 4:03 AM, "Jan Pazdziora"  wrote:

> On Mon, May 18, 2015 at 12:38:47PM -0400, thewebbie wrote:
> >
> > I have been attempting to use my 4.1.4  FreeIPA server to authenticate
> > folders on a web server as a replacement for the normal htaccess
> feature. I
> > do require group authentication. I have tried just about online example
> and
> > have only been able to get basic ldap and basic kerbos authentication.
> How
> > do I go about getting group based authentication working.
>
> If you do not insist on group based authentication but can use
> the more generic host-based access control (which you should be able
> to do because you have IPA), you can use mod_authnz_pam:
>
> http://www.adelton.com/apache/mod_authnz_pam/
>
> http://www.freeipa.org/page/Web_App_Authentication
>
> The module is packaged in Fedoras, RHEL, and CentOS.
>
> --
> Jan Pazdziora
> Senior Principal Software Engineer, Identity Management Engineering, Red
> Hat
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Apache htaccess replacement

2015-05-19 Thread Jan Pazdziora 
On Mon, May 18, 2015 at 12:38:47PM -0400, thewebbie wrote:
> 
> I have been attempting to use my 4.1.4  FreeIPA server to authenticate
> folders on a web server as a replacement for the normal htaccess feature. I
> do require group authentication. I have tried just about online example and
> have only been able to get basic ldap and basic kerbos authentication.  How
> do I go about getting group based authentication working.

If you do not insist on group based authentication but can use
the more generic host-based access control (which you should be able
to do because you have IPA), you can use mod_authnz_pam:

http://www.adelton.com/apache/mod_authnz_pam/

http://www.freeipa.org/page/Web_App_Authentication

The module is packaged in Fedoras, RHEL, and CentOS.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Apache htaccess replacement

2015-05-18 Thread thewebbie 
Hello

I have been attempting to use my 4.1.4  FreeIPA server to authenticate
folders on a web server as a replacement for the normal htaccess feature. I
do require group authentication. I have tried just about online example and
have only been able to get basic ldap and basic kerbos authentication.  How
do I go about getting group based authentication working.

I have tried to add the following to either example below and no luck. I
added the httpbind user from an ldif file from examples. I created a user
group named htaccess and added the users to it.

AuthLDAPBindDN uid=httpbind,cn=sysaccounts,cn=etc,dc=test,dc=com
AuthLDAPBindPassword XX
AuthLDAPGroupAttributeIsDN off
AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?uid
Require ldap-group cn=htaccess,cn=groups,cn=compat,dc=test,dc=com

My error logs look like

[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1944): [client
xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos

[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1032): [client
xxx.xxx.xxx.xxx] Using HTTP/server1.test@test.com as server principal
for password verification

[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(736): [client
xxx.xxx.xxx.xxx] Trying to get TGT for user js...@test.com

[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(646): [client
xxx.xxx.xxx.xxx] Trying to verify authenticity of KDC using principal
HTTP/server1.test@test.com

[Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(): [client
xxx.xxx.xxx.xxx] kerb_authenticate_user_krb5pwd ret=0 user=js...@test.com
authtype=Basic

[Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(727): [client
xxx.xxx.xxx.xxx] ldap authorize: Creating LDAP req structure

[Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(739): [client
xxx.xxx.xxx.xxx] auth_ldap authorise: User DN not found, LDAP:
ldap_simple_bind_s() failed

I have this working.

 

SSLRequireSSL
AuthName "LDAP Authentication"
AuthType Basic
AuthzLDAPMethod ldap
AuthzLDAPServer ipa.test.com
AuthzLDAPUserBase cn=users,cn=compat,dc=test,dc=com
AuthzLDAPUserKey uid
AuthzLDAPUserScope base
require valid-user

   

And this is working

 

SSLRequireSSL
AuthName "KERBEROS Authentication"
AuthType Kerberos
KrbServiceName HTTP
KrbMethodK5Passwd On
KrbSaveCredentials On
KrbMethodNegotiate On
KrbAuthRealms TEST.COM
Krb5KeyTab /etc/httpd/conf.d/keytab

AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?krbPrincipalName
Require valid-user

   
-- 

=
Matthew Feinberg
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project