Re: [Freeipa-users] Authenticating Apache through FreeIPA

2013-05-28 Thread Martin Kosek 
On 05/28/2013 02:21 AM, William Muriithi wrote:
> Hello,
> 
> This seem well documented, but I can't seem to get it working.  Not sure what 
> I
> am missing..  I will try go over it and hopefully someone may notice why I am
> failing
> 
> I got a system enrolled to IPA and its running
> 
> httpd-2.2.15-28.el6.centos.x86_64
> mod_auth_kerb-5.4-9.el6.x86_64
> mod_authnz_external-3.2.6-1.el6.x86_64
> 
> I initially tried to authenticate against LDAP directly, but it didn't work at
> all.  I believe FreeIPA only use LDAP for authorization and Kerberos for
> authentication..  Is this observation correct?  I mean, can one deal with LDAP
> directly i this setup.

FreeIPA relies on Kerberos for authentication. Speaking of authorization, i.e.
who can do what, we have HBAC enforced by the SSSD. This is however not
available for httpd applications at the moment.

I would recommend using Kerberos authentication (i.e. mod_auth_kerb) instead of
LDAP binds as this will allow you to have Single Sign On (SSO) with your
application.

> 
> For Kerbero, went to the IPA server and generated a key tab

Note that you can get the keytab also directly on the client, ipa-getkeytab is
present in freeipa-client package.

> 
> [root@ipa1-yyz-int wmuriithi]# kinit admin
> Password for ad...@example.loc:
> [root@ipa1-yyz-int wmuriithi]# ipa service-add 
> HTTP/git1.example@example.loc
> ---
> Added service "HTTP/git1.example@example.loc"
> ---
>   Principal: HTTP/git1.example@example.loc
>   Managed by: git1.example.com 
> [root@ipa1-yyz-int wmuriithi]# ipa-getkeytab -s ipa1-yyz-int.example.loc -p
> HTTP/git1.example.com  -k /tmp/httpd.keytab
> Keytab successfully retrieved and stored in: /tmp/httpd.keytab
> [root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab
> root@10.10.10.50:/etc/httpd/conf/
> The authenticity of host '10.10.10.50 ()' can't 
> be
> established.
> RSA key fingerprint is cc:83:9c:95:bf:c6:a0:a4:a0:0a:dd:5a:85:85:bf:1e.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added '10.10.10.50' (RSA) to the list of known hosts.
> root@10.10.10.50 's password:
> [root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab
> root@10.10.10.50:/etc/httpd/conf/
> 
> 
> Then from the IPA client 10.10.10.50, I have this basic change, the bottom 
> part
> is the only pertinent section but posted the whole file in case I have done
> something silly somewhere else. 
> 
> 
> 
> ServerNamegit1.example.com 
> ServerAlias   git
>
> 
> DocumentRoot /var/www/git
> 
> Options   None
> AllowOverride none
> Order allow,deny
> Allow from all
> 
> 
> SuexecUserGroup gitolite3 gitolite3
> # Set up appropriate GIT environments
> SetEnv GIT_PROJECT_ROOT /var/lib/gitolite3/repositories
> SetEnv GIT_HTTP_EXPORT_ALL
> SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
> 
> # Set up appropriate gitolite environments
> SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite3
> 
> 
> ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/
> 
> ScriptAlias /gitmob/ /var/www/bin/gitolite-suexec-wrapper.sh/
> 
> 
> 
> #  SSLRequireSSL
>   AuthType Kerberos
>   AuthName "Kerberos Login"
>   KrbMethodNegotiate On
>   KrbMethodK5Passwd Off
>   KrbAuthRealms EXAMPLE.LOC
>   Krb5KeyTab /etc/httpd/conf/httpd.keytab
>   require valid-user
> 
> 

Looks OK. I have a Kerberos authenticated web app running with very similar
configuration.

> 
> 
> 
>  When I test it with a browser, I get the following error
> 
> [Mon May 27 12:55:18 2013] [notice] Apache/2.2.15 (Unix) DAV/2
> mod_auth_kerb/5.4 configured -- resuming normal operations
> [Mon May 27 12:55:38 2013] [error] [client 10.10.10.231] user william:
> authentication failure for "/git": Password Mismatch
> 
> I can ssh in to the server with the same account password, so log in details
> should be fine.  All I want to achieve is basic authentication, but I seem to
> be missing something,

If you want basic authentication (user+password), you would need to set
KrbMethodK5Passwd to "On".

> 
> Any pointers?

I would also check that KrbAuthRealms contains correct realm. I would also
check that /etc/httpd/conf/httpd.keytab is accessible by "apache" user and has
the right SELinux context (no AVCs in audit.log).

If all this is all right, you can also enable put apache's LogLevel to debug
and watch the errors log for hints.

HTH,
Martin

> 
> Regards,
> 
> William
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

___
Freeipa-users mailing list
Freeipa-u

[Freeipa-users] Authenticating Apache through FreeIPA

2013-05-27 Thread William Muriithi 
Hello,

This seem well documented, but I can't seem to get it working.  Not sure
what I am missing..  I will try go over it and hopefully someone may notice
why I am failing

I got a system enrolled to IPA and its running

httpd-2.2.15-28.el6.centos.x86_64
mod_auth_kerb-5.4-9.el6.x86_64
mod_authnz_external-3.2.6-1.el6.x86_64

I initially tried to authenticate against LDAP directly, but it didn't work
at all.  I believe FreeIPA only use LDAP for authorization and Kerberos for
authentication..  Is this observation correct?  I mean, can one deal with
LDAP directly i this setup.

For Kerbero, went to the IPA server and generated a key tab

[root@ipa1-yyz-int wmuriithi]# kinit admin
Password for ad...@example.loc:
[root@ipa1-yyz-int wmuriithi]# ipa service-add
HTTP/git1.example@example.loc
---
Added service "HTTP/git1.example@example.loc"
---
  Principal: HTTP/git1.example@example.loc
  Managed by: git1.example.com
[root@ipa1-yyz-int wmuriithi]# ipa-getkeytab -s ipa1-yyz-int.example.loc -p
HTTP/git1.example.com -k /tmp/httpd.keytab
Keytab successfully retrieved and stored in: /tmp/httpd.keytab
[root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab root@10.10.10.50:
/etc/httpd/conf/
The authenticity of host '10.10.10.50 ()'
can't be established.
RSA key fingerprint is cc:83:9c:95:bf:c6:a0:a4:a0:0a:dd:5a:85:85:bf:1e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.50' (RSA) to the list of known hosts.
root@10.10.10.50's password:
[root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab root@10.10.10.50:
/etc/httpd/conf/


Then from the IPA client 10.10.10.50, I have this basic change, the bottom
part is the only pertinent section but posted the whole file in case I have
done something silly somewhere else.



ServerNamegit1.example.com
ServerAlias   git


DocumentRoot /var/www/git

Options   None
AllowOverride none
Order allow,deny
Allow from all


SuexecUserGroup gitolite3 gitolite3
# Set up appropriate GIT environments
SetEnv GIT_PROJECT_ROOT /var/lib/gitolite3/repositories
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER

# Set up appropriate gitolite environments
SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite3


ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/
ScriptAlias /gitmob/ /var/www/bin/gitolite-suexec-wrapper.sh/


#  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbAuthRealms EXAMPLE.LOC
  Krb5KeyTab /etc/httpd/conf/httpd.keytab
  require valid-user





 When I test it with a browser, I get the following error

[Mon May 27 12:55:18 2013] [notice] Apache/2.2.15 (Unix) DAV/2
mod_auth_kerb/5.4 configured -- resuming normal operations
[Mon May 27 12:55:38 2013] [error] [client 10.10.10.231] user william:
authentication failure for "/git": Password Mismatch

I can ssh in to the server with the same account password, so log in
details should be fine.  All I want to achieve is basic authentication, but
I seem to be missing something,

Any pointers?

Regards,

William
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users