{"id":244,"date":"2016-02-17T12:54:58","date_gmt":"2016-02-17T17:54:58","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=244"},"modified":"2021-11-02T11:11:25","modified_gmt":"2021-11-02T16:11:25","slug":"kerberos-authentication-and-ldap-authorization-in-apache","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=244","title":{"rendered":"Kerberos Authentication and LDAP Authorization In Apache"},"content":{"rendered":"<p>I&#8217;ve been authenticating users of Apache web sites against Active Directory using Kerberos for some time now. Installed krb5-workstation and mod_auth_kerb, configured \/etc\/krb5.conf for my specific domain, and added some config to the Directory section of the Apache config. Great if you just require valid-user (or require valid-user and then turn around and do some authorization within your web code using something like php_auth_user). Not so great, though, for restricting access to the site\u00a0<em>outside<\/em> of web code. And I really didn&#8217;t want to code in an authorization function when my web server\u00a0<em>should<\/em> be able to do that for me.<\/p>\n<p>I FINALLY got kerberos\u00a0authentication working in Apache\u00a0<em>with<\/em> an LDAP authorization component. Turns out the\u00a0\u00a0mod_auth_kerb version 5.1 that was available from the Yum repository is terribly buggy \u00a0&#8211; like not usable in this instance buggy. KrbLocalUserMapping did not consistently remove the realm component. I\u2019d hit a site and it would know who I am, click a link and come across as me@REALM.TLD\u00a0and get access denied errors, click refresh and get in because it knew I was me again. Or not. More than 50% failure rate.I built the 5.4 version from <a href=\"http:\/\/modauthkerb.sourceforge.net\/\" target=\"_blank\" rel=\"noopener\">http:\/\/modauthkerb.sourceforge.net\/<\/a> and haven\u2019t had a problem since.<\/p>\n<p>I\u2019m authenticating to Active Directory using the Kerberos module then authorizing against a group housed\u00a0in an external LDAP directory. You can totally point your LDAP config toward Active Directory &amp; use AD groups instead:<\/p>\n<p>AuthType Kerberos<br \/>\nAuthName &#8220;Kerberos AD Test&#8221;<br \/>\nKrbAuthoritative off<br \/>\nKrbMethodNegotiate on<br \/>\nKrbMethodK5Passwd on<br \/>\nKrbServiceName HTTP\/this.isyour.url.tld@EXAMPLE.COM<br \/>\nKrbAuthRealms EXAMPLE.COM<br \/>\nKrbLocalUserMapping On<br \/>\nKrb5Keytab \/path\/to\/keytabs\/keytab.file<\/p>\n<p>AuthBasicAuthoritative On<br \/>\nAuthBasicProvider ldap<br \/>\nAuthLDAPURL &#8220;ldaps:\/\/ldap.example.com\/o=BaseDN?uid?sub?(&amp;(cn=*))&#8221;<br \/>\nAuthLDAPBindDN &#8220;YOUR SERVICE ACCOUNT HERE&#8221;<br \/>\nAuthLDAPBindPassword &#8220;YOUR BIND PWD HERE&#8221;<\/p>\n<p>AuthLDAPGroupAttribute uniqueMember<br \/>\nAuthLDAPGroupAttributeIsDN on<br \/>\nrequire ldap-group cn=Website Test,ou=groups,o=BaseDN<\/p>\n<p>&nbsp;<\/p>\n<p>WooHoo! I hit the site from my domain-member computer, it knows I am LisaR. It then turns around and finds an LDAP user matching uid=LisaR and grabs the user&#8217;s fully qualified DN (because AuthLDAPGroupAttributesIsDN is &#8216;on&#8217; here &#8230; if you are using just uids in your member list, that would be off). It then verifies that the fully qualified DN is a member of the Website Test group.<\/p>\n<p>Now I&#8217;m trying to figure out how to let the user log in without supplying a realm (not everyone&#8217;s in the domain &#8230; and they need to be able to log in too. Works fine right now, provided they input their username as uid@REALM.TLD).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve been authenticating users of Apache web sites against Active Directory using Kerberos for some time now. Installed krb5-workstation and mod_auth_kerb, configured \/etc\/krb5.conf for my specific domain, and added some config to the Directory section of the Apache config. Great if you just require valid-user (or require valid-user and then turn around and do some &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30,29],"tags":[31,328,376,375,326],"class_list":["post-244","post","type-post","status-publish","format-standard","hentry","category-system-administration","category-technology","tag-apache","tag-kerberos","tag-kerberos-with-authorization","tag-single-sign-on","tag-sso"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=244"}],"version-history":[{"count":5,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/244\/revisions"}],"predecessor-version":[{"id":8350,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/244\/revisions\/8350"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}