Rob Visser wrote:
Hello,I would like achieve authorization on a kerberised web-page.My idea is to use an LDAP query for group membership, i.e. the uid should be a member of a certain group in order to serve out pages.Authentication with Kerberos gssapi works well. I do not know how to achieve the authorization. This is what I tried: <Directory "/usr/share/ipa/ipatest"> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealms USN.TIC Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on AuthzLDAPAuthoritative on AuthLDAPUrl ldap://localhost/cn=users,cn=accounts,dc=usn,dc=tic?uid Require ldap-group cn=ipausers,cn=groups,cn=accounts,dc=usn,dc=tic Require valid-user Satisfy all </Directory> Any help is appreciated.
You almost have it. With kerberos, REMOTE_USER is going to be set to the principal name (ad...@example.com). You need to tweak your AuthLDAPUrl to use krbprincipalname instead of uid and it should work.
rob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users