[29326] in Kerberos
Re: Kerberized Apache
daemon@ATHENA.MIT.EDU (Ido Levy)
Wed Feb 20 12:30:20 2008
In-Reply-To: <Pine.LNX.4.64.0802190952460.6805@kernel.panic.unc.edu>
To: "Kevin S. Sumner" <ksumner@physics.unc.edu>
Message-ID: <OF71BB4F6F.1B7A3A3B-ONC22573F5.005CD253-C22573F5.005F0D3F@il.ibm.com>
From: Ido Levy <IDOL@il.ibm.com>
Date: Wed, 20 Feb 2008 19:18:13 +0200
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Kevin,
Thank you for the help !!
My comments are integrated below
Ido Levy
"Kevin S. Sumner" <ksumner@physics.unc.edu> wrote on 19/02/2008 17:07:02:
> Hi Ido,
>
> The modauthkerb website says you need an extention for "Mozilla" (I'm
> assuming the Mozilla Suite and Firefox) to do ticket-passing
> authentication*. We have it setup for doing username and password
> authentication right now and it works quite well. The configuration for
a
> .htaccess is a little strange. Here's a sample:
>
> [snip]
> AuthType Kerberos
> KrbMethodNegotiate Off
> KrbServiceName HTTP
> Krb5Keytab /path/to/keytab
> AuthName "physics.unc.edu"
> KrbVerifyKDC off
> KrbAuthRealms PHYSICS.UNC.EDU
> require user user1@PHYSICS.UNC.EDU
> require user user2@PHYSICS.UNC.EDU
> SSLRequireSSL
> [/snip]
>
> You probably want to turn on the KrbMethodNegotiate. This is working now
> and has been working for a few years with only minor modifications when
we
> upgrade modauthkerb. We have also successfully used "require valid-user"
> to do authentication for any user in our realm.
I tried the valid-user value and it works fine and suits my needs.:
> If your .htaccess seems to not be working, you may need to fix your
> AllowOverride line for your DocumentRoot or some directory under that
where
> you want to do authetication. Once AllowOverride is set correctly, you
> should be able to use .htaccess files without trouble. Can you use
> "AuthType Basic", or any other AuthType, currently?
Following your advice I set "AllowOverride All AuthConfig" for the
DocumentRoot
and it helps saving the efforts to insert a line for each directory I want
to allow access to.
>
> *NegotiateAuth is here: http://negotiateauth.mozdev.org/ but it looks
like
> Linux/i386 only.
>
> Hope this helps!
> Kevin
> -----
> Kevin Sumner
> ksumner@physics.unc.edu
> (919) 962-6494
> Assistant Systems Administrator
> Physics and Astronomy Networking Infrastructure and Computing
> University of North Carolina at Chapel Hill
>
>
> On Tue, 19 Feb 2008, Ido Levy wrote:
>
> >
> > Hello All,
> >
> > I am looking for a way to enable users to get access to their space
through
> > the web browser.
> > I would like to integrate it with our Kerberized SSO environment as
well.
> > I tried this module http://modauthkerb.sourceforge.net/ but I have
> > encounter some issues:
> >
> > 1) I didn't succeed in configuring SSO
> >
> > For each access through the web browser I have been asked for user
> > and password although
> > I already had a valid ticket
> >
> > 2) The .htaccess file must be used to control access to each directory.
> >
> > For each space I would like to give an access I have to create
> > an .htaccess file and
> > add an entry in the apcahe configuration file as well
> >
> > Does anyone have experience with this issue ?
> > Are there any other Kerberos modules for apache that better suits my
> > needs ?
> >
> >
> > Thanks,
> >
> > Ido Levy
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> > --
> >
> >
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
