Share this post
FaceBook  Twitter  

This configuration uses Kerberos for authentication and LDAP for authorization. The details are specific to the Fedora/RedHat FreeIPA server, but should work for any Kerberos/LDAP system.

The setup below assumes a Kerberos/LDAP server running on You need to ensure that you have generated and extracted the 'HTTP/' service prinicpal from the Kerberos server. Run the following command on a Kerberos realm server to generate the service principal: ipa-addservice HTTP/

Then extract the service principal into a keytab file on the webserver: ipa-getkeytab -s
   -p HTTP/ -k /etc/httpd/conf.d/http.keytab

Next modify the apache configuration to enable the authentication and authorization.


<Location /protected>
    # Make sure you're using HTTPS, or anyone can read your Kerberos password.
    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodK5Passwd On
    KrbAuthRealms EXAMPLE.COM
    KrbSaveCredentials on
    # You should extract the service principal into the correct file as shown above.
    # Make sure that the service names (HTTP) match and that the filename is correct.
    KrbServiceName HTTP
    Krb5KeyTab /etc/httpd/conf.d/http.keytab
    # Replace krbPrincipalName with the LDAP attribute which contains username@EXAMPLE.COM.
    # Many other guides suggest that this should be uid, but this doesn't work because the
    # attached domain name causes the lookup to fail. 
    AuthLDAPUrl ldap://,dc=com?krbPrincipalName
    # This entry should just be the dn of the group allowed access, add extra lines to permit
    # multiple groups. 
    require ldap-group cn=authorizedusers,cn=groups,cn=accounts,dc=example,dc=com

When testing, beware of the webserver cache - if you modify a user group, you must restart the webserver to clear the cache (/etc/init.d/httpd restart). I'm not sure if there is a better way to clear the cache (/etc/init.d/httpd reload)? or how long Apache caches LDAP lookups. Other sites suggest restarting the 'nscd' service but this didn\'t work for me.

Much of the information about mod_authnz_ldap and mod_auth_kerb was obtained from their respective websites. mod_authnz_ldap is included with the Fedora httpd package.