How to tell mod_auth_kerb to do its job despite no "require valid-user"
I've done this once when I built a simple single-signon tool (to merge Kerberos with mod_auth_tkt). It required a little bit of chicanery:
/webauth/login was protected by a
require valid-user
directive. If someone connected with valid Kerberos credentials, we got their username from REMOTE_USER, gave them an authentication cookie, and sent them on their way.The Apache configuration used an
ErrorDocument
request to redirect unauthenticated users to /webauth/require_authentication:ErrorDocument 401 /webauth/require_authentication
This would perform the following actions:
- Return a 401 result code (normally, ErrorDocuments eat your result code), and
- Present a login form.
The login form would do exactly what you expect: present a username/password form, validate same, and then give them the auth cookie.
Related videos on Youtube
Benjamin Wohlwend
Updated on September 17, 2022Comments
-
Benjamin Wohlwend over 1 year
I implemented a SSO authentication using mod_auth_kerb on Apache. My config looks like this:
<Location /login/ > AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbAuthoritative on KrbVerifyKDC on KrbAuthRealm D.ETHZ.CH Krb5Keytab /etc/HTTP.keytab KrbSaveCredentials on RequestHeader set KERBEROS_USER %{REMOTE_USER}s </Location>
My problem is that, without
require valid-user
, mod_auth_kerb doesn't even try to authenticate the user andKERBEROS_USER
ends up being(null)
. If I addrequire valid-user
, the user is authenticated automatically if the browser supports it, but gets shown an ugly modal login form (ala HTTP Basic Auth) if the browser doesn't support Kerberos Negotiate.What I want to achieve is that if a user visits
/login/
, mod_auth_kerb tries to authenticate the user through Kerberos Negotiate. If that fails, a normal HTML login form will be presented to the user.Is it possible to configure Apache/mod_auth_kerb in such a way?
-
Sam Halicke over 13 years+1 for an interesting solution.
-
Benjamin Wohlwend over 13 yearsgreat, this works perfectly!