Hello All,

Following my post to the list and the great help I got from members cc to
this email,
I would like to share the way to kerberized apache.

Browser Settings

In my case it is firefox 2.0.0.9

Using the config:about utility of the firefox browser I set the following
parameters:

network.negotiate-auth.delegation-uris = https://,http://
network.negotiate-auth.trusted-uris = https://,http://

Note: this settings are done per user, these parameters are considered
private.

Client Settings

The machine you login in to needs to be part of your kerberos environment
and the user must have the TGT ticket

Web Server Settings

In my case it is httpd-2.2.3-11.el5 running on RHEL 5.1 64 bit
architecture.

1) Create HTTP service principal for the web server machine.
2) Create keytab file containing the HTTP service principal and locate the
file under the web server
configuration directory. Make sure the apache user has the right
privileges for this file.
3) Compile the module mode_auth_kerb.
Detailed instructions can be found at
http://modauthkerb.sourceforge.net/configure.html
4) Load the module and set some basic configuration in apache configuration
file

/etc/httpd/conf/httpd.conf

LoadModule auth_kerb_module modules/mod_auth_kerb.so


Under the RootDirectory or any other directory you would like,
set the following:



AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms
KrbServiceName HTTP
Krb5Keytab /etc/httpd/conf.d/krb5.http
KrbMethodK5Passwd on
KrbSaveCredentials on
require valid-user

AllowOverride All AuthConfig
Order allow,deny
Allow from all


5) Restart the web server

service httpd restart

6) In order to restrict access to specific directories you can use
the .htaccess file with the following format:

AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms REALM
KrbMethodK5Passwd on
require user @REALM @REALM

Just place the file under the relevant directory.

Best Regards,

Ido Levy