This configuration uses Kerberos for authentication and LDAP for authorization. The details are specific to the Fedora/RedHat FreeIPA server, but should work for any Kerberos/LDAP system.
The setup below assumes a Kerberos/LDAP server running on krbserver.example.com. You need to ensure that you have generated and extracted the 'HTTP/webserver.example.com' service prinicpal from the Kerberos server. Run the following command on a Kerberos realm server to generate the service principal:
user@krbserver.example.com# ipa-addservice HTTP/webserver.example.com
Then extract the service principal into a keytab file on the webserver:
user@webserver.example.com# ipa-getkeytab -s krbserver.example.com
-p HTTP/webserver.example.com -k /etc/httpd/conf.d/http.keytab
Next modify the apache configuration to enable the authentication and authorization.
/etc/httpd/conf.d/website.conf
<Location /protected>
# Make sure you're using HTTPS, or anyone can read your Kerberos password.
SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodK5Passwd On
KrbAuthRealms EXAMPLE.COM
KrbSaveCredentials on
# You should extract the service principal into the correct file as shown above.
# Make sure that the service names (HTTP) match and that the filename is correct.
KrbServiceName HTTP
Krb5KeyTab /etc/httpd/conf.d/http.keytab
# Replace krbPrincipalName with the LDAP attribute which contains username@EXAMPLE.COM.
# Many other guides suggest that this should be uid, but this doesn't work because the
# attached domain name causes the lookup to fail.
AuthLDAPUrl ldap://ldapserver.example.com:389/dc=example,dc=com?krbPrincipalName
# This entry should just be the dn of the group allowed access, add extra lines to permit
# multiple groups.
require ldap-group cn=authorizedusers,cn=groups,cn=accounts,dc=example,dc=com
</Location>
When testing, beware of the webserver cache - if you modify a user group, you must restart the webserver to clear the cache (/etc/init.d/httpd restart). I'm not sure if there is a better way to clear the cache (/etc/init.d/httpd reload)? or how long Apache caches LDAP lookups. Other sites suggest restarting the 'nscd' service but this didn\'t work for me.
Much of the information about mod_authnz_ldap and mod_auth_kerb was obtained from their respective websites. mod_authnz_ldap is included with the Fedora httpd package.