Apache mod_auth_kerb and LDAP user groups

apache-2.2 ldap kerberos single-sign-on
17,398

Solution 1

It is now possible in mod_auth_kerb 5.4 to strip the realm from REMOTE_USER with the following config directive:

KrbLocalUserMapping On

Solution 2

It's the whole point of the authn/authz separation in 2.2 that you can authenticate with one mechanism, and authorize with another. Authentication provides you with a setting of REMOTE_USER, which you then can use authz_ldap against. In addition, authn_ldap searches then for a user (converting the REMOTE_USER to a DN if found, using search criteria you have to specify - e.g. searching for CN). Then, when a DN has been found, you can specify requirements on the LDAP object. E.g. if all users accessing a resource must be in the same OU, you specify

require ldap-dn ou=Managers, o=The Company

Solution 3

Debian stable now ships with version 5.4 of mod_auth_kerb.

If you're stuck with an older version, this page explains how mod_map_user can be used in combination with mod_auth_kerb and mod_authnz_ldap.

Share:
17,398

Related videos on Youtube

Rahim
Author by

Rahim

I've been Linux user for over 10 years, and been computing since around age 11. I got my start in programming by learning Perl on my Debian machine in high school. Since then I've learned numerous languages including C, C++, and Python. I've also dabbled in Java and assembly. I have a bachelors degree in Computer Engineering from Simon Fraser University in Burnaby, BC, Canada. I've worked in Japan as a CAD software developer in C++ on Windows. Not my favorite environment, but an interesting project never the less. I'm currently employed by a Vancouver-based biotech startup working primarily on systems level projects but doing my fair share of software development. My favorite programming language is Python and I use it nearly every day. My recent interests lie in virtualization, hpc, and large-scale systems management. I'm an active contributor to the Bcfg2 project.

Updated on September 17, 2022

Comments

  • Rahim
    Rahim over 1 year

    I've been considering deploying mod_auth_kerb on our internal web servers to enable SSO. The one obvious problem I can see is that it's an all-or-nothing approach, either all your domain users can access a site or not.

    Is it possible to combine mod_auth_kerb with something like mod_authnz_ldap to check for group membership in a particular group in LDAP? I'm guessing the KrbAuthoritative option would have something to do with this?

    Also, as I understand it, the module sets the username to be username@REALM after authentication, but of course in the directory the users are stored as the username only. Furthermore, some internal sites we run such as trac already have a user profile linked to each username. Is there a way to resolve this, perhaps by stripping off the realm bit after authentication somehow?

    • Jeremy Bouse
      Jeremy Bouse almost 15 years
      Just a question regarding implementation, are you using a Windows ADS for the kerberos realm or some other implementation?
    • Rahim
      Rahim almost 15 years
      Apple's OpenDirectory which comes with MIT Kerberos v5
    • Jeremy Bouse
      Jeremy Bouse almost 15 years
      Okay... Haven't worked with Apple's OpenDirectory before. I was able to get Apache to authenticate using NTLM against Windows ADS using their workstation credentials and then restricting to specific groups.
    • Yves Martin
      Yves Martin over 10 years
      Without stripping realm from username, you can use an alternate attribute in LDAP query to search for user entity, for instance the "userPrincipalName" attribute in Ms ActiveDirectory.
  • Rahim
    Rahim almost 15 years
    Is it possible to modify the REMOTE_USER variable before it's passed to the authorization stage? For example, to strip off the REALM portion of the Kerberos username for lookup in an LDAP database?
  • Martin v. Löwis
    Martin v. Löwis almost 15 years
    Not by means of configuration. However, it is relatively easy to do so in the source code of the Apache module. Look for assignments to request->user and adjust them; then rebuild the module with apxs2 -c. OTOH, it might be easier to put the Kerberos names into LDAP, under a separate attribute, and have the ldap module search the user by that attribute.
  • Rahim
    Rahim over 14 years
    Wow, looks like this was released in 2008, but no mention of it (the version or the parameter) on their website.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apache 2.2 mod_auth_kerb SSO stopped working
Apache SSO with Active Directory and providing authorization based on groups
Fallback authentication if mod_auth_kerb fails
SSO with Apache and Kerberos issues
problems creating a keytab file on win server
Apache2, Kerberos: gss_accept_sec_context() failed: An unsupported mechanism was requested
Seamless SSO with Kerberos, IE, Firefox, LDAP Active Directory
How to get Service Token from Kerberos using SSPI
How to implement single sign-on in my java project?
How do I clear a user's cached Active Directory password on CentOS 7?