Kerberized Apache - Kerberos

This is a discussion on Kerberized Apache - Kerberos ; Hello All, I am looking for a way to enable users to get access to their space through the web browser. I would like to integrate it with our Kerberized SSO environment as well. I tried this module http://modauthkerb.sourceforge.net/ but ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Kerberized Apache

  1. Kerberized Apache


    Hello All,

    I am looking for a way to enable users to get access to their space through
    the web browser.
    I would like to integrate it with our Kerberized SSO environment as well.
    I tried this module http://modauthkerb.sourceforge.net/ but I have
    encounter some issues:

    1) I didn't succeed in configuring SSO

    For each access through the web browser I have been asked for user
    and password although
    I already had a valid ticket

    2) The .htaccess file must be used to control access to each directory.

    For each space I would like to give an access I have to create
    an .htaccess file and
    add an entry in the apcahe configuration file as well

    Does anyone have experience with this issue ?
    Are there any other Kerberos modules for apache that better suits my
    needs ?


    Thanks,

    Ido Levy


  2. Re: Kerberized Apache

    Ido Levy writes:

    > I am looking for a way to enable users to get access to their space through
    > the web browser.
    > I would like to integrate it with our Kerberized SSO environment as well.
    > I tried this module http://modauthkerb.sourceforge.net/ but I have
    > encounter some issues:


    Using mod_auth_gss
    (,
    install with "apxs -c -i -l gss mod_auth_gss.c") I have apache-2.2.8
    running with authentication via Kerberos. While mod_auth_kerb has the
    advantage of providing a username/password fallback, I haven't compiled
    it under Solaris.

    For an authentication needing part of your website you could either put
    these directives into a .htaccess file (assuming that your httpd
    configuration allows authentication override) or a directory or location
    section:

    AuthType GSSAPI
    AuthGssServiceName HTTP
    AuthGssKeytabFile /opt/apache/2.2.8/conf/http.keytab
    AuthGssDebug 0
    require valid-user

    The username - should you need to specifiy access only for select users
    - is the Kerberos principal.


    Sebastian

  3. Re: Kerberized Apache

    >
    > Hello All,
    >
    > I am looking for a way to enable users to get access to their space through
    > the web browser.
    > I would like to integrate it with our Kerberized SSO environment as well.
    > I tried this module http://modauthkerb.sourceforge.net/ but I have
    > encounter some issues:
    >
    > 1) I didn't succeed in configuring SSO
    >
    > For each access through the web browser I have been asked for user
    > and password although
    > I already had a valid ticket


    Do you mean that you have a TGT, or that you acquired the necessary HTTP
    service ticket?

    Take a look at the Apache error log; anything there from mod_auth_kerb?

    > 2) The .htaccess file must be used to control access to each directory.
    >
    > For each space I would like to give an access I have to create
    > an .htaccess file and
    > add an entry in the apcahe configuration file as well
    >
    > Does anyone have experience with this issue ?
    > Are there any other Kerberos modules for apache that better suits my
    > needs ?


    --
    Richard Silverman
    res@qoxp.net


  4. Re: Kerberized Apache

    Sebastian Hanigk writes:

    Following up to myself for clarification:

    > Using mod_auth_gss
    > (,
    > install with "apxs -c -i -l gss mod_auth_gss.c") I have apache-2.2.8
    > running with authentication via Kerberos. While mod_auth_kerb has the
    > advantage of providing a username/password fallback, I haven't compiled
    > it under Solaris.


    This works at the moment only under Solaris; mod_auth_gss uses two
    functions from Sun's GSSAPI implementation's extension
    (_gss_get_mech_type and __gss_oid_to_mech) which have to be
    reimplemented if said module should work with other GSSAPI libraries.


    Sebastian

+ Reply to Thread