- Created: 18 May 2009
The setup below assumes a Kerberos/LDAP server running on krbserver.example.com. You need to ensure that you have generated and extracted the 'HTTP/webserver.example.com' service prinicpal from the Kerberos server. Run the following command on a Kerberos realm server to generate the service principal:
firstname.lastname@example.org# ipa-addservice HTTP/webserver.example.com
Then extract the service principal into a keytab file on the webserver:
email@example.com# ipa-getkeytab -s krbserver.example.com
-p HTTP/webserver.example.com -k /etc/httpd/conf.d/http.keytab
Next modify the apache configuration to enable the authentication and authorization.
# Make sure you're using HTTPS, or anyone can read your Kerberos password.
AuthName "Kerberos Login"
# You should extract the service principal into the correct file as shown above.
# Make sure that the service names (HTTP) match and that the filename is correct.
# Replace krbPrincipalName with the LDAP attribute which contains username@EXAMPLE.COM.
# Many other guides suggest that this should be uid, but this doesn't work because the
# attached domain name causes the lookup to fail.
# This entry should just be the dn of the group allowed access, add extra lines to permit
# multiple groups.
require ldap-group cn=authorizedusers,cn=groups,cn=accounts,dc=example,dc=com
When testing, beware of the webserver cache - if you modify a user group, you must restart the webserver to clear the cache (/etc/init.d/httpd restart). I'm not sure if there is a better way to clear the cache (/etc/init.d/httpd reload)? or how long Apache caches LDAP lookups. Other sites suggest restarting the 'nscd' service but this didn\'t work for me.