Matthew Devine wrote:
So I'm trying to build an Environment for Apache that will authenticate with
mod_auth_kerb. Basically I have a Windows 2003 Active Directory server
acting as my KDC and Apache running in a Windows machine that's part of the
domain. When I try to connect to the site, it appears like it does all the
correct authentication but Apache is giving me an access error and I haven't
been able to track down why yet.
I posted this in the mod_auth_kerb mailing list but I wasn't sure if this
was actually a mod_auth_kerb error as I'm not getting an error message from
the module but a general error from Apache itself. Any help would be
greatly appreciated.
Apache Error Log
[Thu Oct 23 15:36:27 2008] [debug] mod_auth_kerb.c(1322): [client
192.168.1.140] Verifying client data using KRB5 GSS-API
[Thu Oct 23 15:36:27 2008] [debug] mod_auth_kerb.c(1338): [client
192.168.1.140] Verification returned code 0
[Thu Oct 23 15:36:27 2008] [debug] mod_auth_kerb.c(1356): [client
192.168.1.140] GSS-API token of length 161 bytes will be sent back
[Thu Oct 23 15:36:27 2008] [error] [client 192.168.1.140] access to /private
failed, reason: require directives present and no Authoritative handler.
Matt
Just a shot in the dark really, but going from the message above :
Are you not missing an authz handler ?
The "require" directive (like "require valid-user") is related to the
Authorization phase, which normally follows the Authentication phase.
If you have a "require" without an authorization handler, the message
above would be logical.
Maybe more painstakingly detailed :
The Authentication that you do with Kerberos works fine, and it delivers
a validated user-id. That's nice to have.
Now by saying "require blabla", you are *also* (in addition) putting a
"security constraint" on the access to that Directory/Location. That
should be verified by an Authorization handler, which checks if that
user-id you got before is there, or if it is one of a list, or if that
user is member of a group, etc..
But you don't have such a handler configured maybe, so Apache complains
that you say "require" without anything to verify it.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
