Apache, Kerberos and LDAP integration

This configuration uses Kerberos for authentication and LDAP for authorization. The details are specific to the Fedora/RedHat FreeIPA server, but should work for any Kerberos/LDAP system.

The setup below assumes a Kerberos/LDAP server running on krbserver.example.com. You need to ensure that you have generated and extracted the 'HTTP/webserver.example.com' service prinicpal from the Kerberos server. Run the following command on a Kerberos realm server to generate the service principal:

user@krbserver.example.com# ipa-addservice HTTP/webserver.example.com

Then extract the service principal into a keytab file on the webserver:

user@webserver.example.com# ipa-getkeytab -s krbserver.example.com

   -p HTTP/webserver.example.com -k /etc/httpd/conf.d/http.keytab

Next modify the apache configuration to enable the authentication and authorization.

/etc/httpd/conf.d/website.conf

<Location /protected>

    # Make sure you're using HTTPS, or anyone can read your Kerberos password.

    SSLRequireSSL
    AuthType Kerberos
    AuthName "Kerberos Login"

    KrbMethodK5Passwd On
    KrbAuthRealms EXAMPLE.COM
    KrbSaveCredentials on

    # You should extract the service principal into the correct file as shown above.

    # Make sure that the service names (HTTP) match and that the filename is correct.

    KrbServiceName HTTP
    Krb5KeyTab /etc/httpd/conf.d/http.keytab

    # Replace krbPrincipalName with the LDAP attribute which contains username@EXAMPLE.COM.

    # Many other guides suggest that this should be uid, but this doesn't work because the

    # attached domain name causes the lookup to fail.

    AuthLDAPUrl ldap://ldapserver.example.com:389/dc=example,dc=com?krbPrincipalName

    # This entry should just be the dn of the group allowed access, add extra lines to permit

    # multiple groups.

    require ldap-group cn=authorizedusers,cn=groups,cn=accounts,dc=example,dc=com
</Location>

When testing, beware of the webserver cache - if you modify a user group, you must restart the webserver to clear the cache (/etc/init.d/httpd restart). I'm not sure if there is a better way to clear the cache (/etc/init.d/httpd reload)? or how long Apache caches LDAP lookups. Other sites suggest restarting the 'nscd' service but this didn\'t work for me.

Much of the information about mod_authnz_ldap and mod_auth_kerb was obtained from their respective websites. mod_authnz_ldap is included with the Fedora httpd package.

Latest Articles

Articles