Apache mod_auth_kerb and LDAP user groups
Solution 1
It is now possible in mod_auth_kerb 5.4 to strip the realm from REMOTE_USER with the following config directive:
KrbLocalUserMapping On
Solution 2
It's the whole point of the authn/authz separation in 2.2 that you can authenticate with one mechanism, and authorize with another. Authentication provides you with a setting of REMOTE_USER, which you then can use authz_ldap against. In addition, authn_ldap searches then for a user (converting the REMOTE_USER to a DN if found, using search criteria you have to specify - e.g. searching for CN). Then, when a DN has been found, you can specify requirements on the LDAP object. E.g. if all users accessing a resource must be in the same OU, you specify
require ldap-dn ou=Managers, o=The Company
Solution 3
Debian stable now ships with version 5.4 of mod_auth_kerb.
If you're stuck with an older version, this page explains how mod_map_user can be used in combination with mod_auth_kerb and mod_authnz_ldap.
Related videos on Youtube
Rahim
I've been Linux user for over 10 years, and been computing since around age 11. I got my start in programming by learning Perl on my Debian machine in high school. Since then I've learned numerous languages including C, C++, and Python. I've also dabbled in Java and assembly. I have a bachelors degree in Computer Engineering from Simon Fraser University in Burnaby, BC, Canada. I've worked in Japan as a CAD software developer in C++ on Windows. Not my favorite environment, but an interesting project never the less. I'm currently employed by a Vancouver-based biotech startup working primarily on systems level projects but doing my fair share of software development. My favorite programming language is Python and I use it nearly every day. My recent interests lie in virtualization, hpc, and large-scale systems management. I'm an active contributor to the Bcfg2 project.
Updated on September 17, 2022Comments
-
Rahim over 1 year
I've been considering deploying
mod_auth_kerb
on our internal web servers to enable SSO. The one obvious problem I can see is that it's an all-or-nothing approach, either all your domain users can access a site or not.Is it possible to combine
mod_auth_kerb
with something likemod_authnz_ldap
to check for group membership in a particular group in LDAP? I'm guessing theKrbAuthoritative
option would have something to do with this?Also, as I understand it, the module sets the username to be
username@REALM
after authentication, but of course in the directory the users are stored as the username only. Furthermore, some internal sites we run such as trac already have a user profile linked to each username. Is there a way to resolve this, perhaps by stripping off the realm bit after authentication somehow?-
Jeremy Bouse almost 15 yearsJust a question regarding implementation, are you using a Windows ADS for the kerberos realm or some other implementation?
-
Rahim almost 15 yearsApple's OpenDirectory which comes with MIT Kerberos v5
-
Jeremy Bouse almost 15 yearsOkay... Haven't worked with Apple's OpenDirectory before. I was able to get Apache to authenticate using NTLM against Windows ADS using their workstation credentials and then restricting to specific groups.
-
Yves Martin over 10 yearsWithout stripping realm from username, you can use an alternate attribute in LDAP query to search for user entity, for instance the "userPrincipalName" attribute in Ms ActiveDirectory.
-
-
Rahim almost 15 yearsIs it possible to modify the REMOTE_USER variable before it's passed to the authorization stage? For example, to strip off the REALM portion of the Kerberos username for lookup in an LDAP database?
-
Martin v. Löwis almost 15 yearsNot by means of configuration. However, it is relatively easy to do so in the source code of the Apache module. Look for assignments to request->user and adjust them; then rebuild the module with apxs2 -c. OTOH, it might be easier to put the Kerberos names into LDAP, under a separate attribute, and have the ldap module search the user by that attribute.
-
Rahim over 14 yearsWow, looks like this was released in 2008, but no mention of it (the version or the parameter) on their website.