Cannot use mod_authz_ldap for authorization along with mod_auth_kerb module.
Issue
- Setup Apache to use Kerberos authentication and use ldap provide authorisation. It is possible to get Apache / kerberos to authenticate, or use LDAP with username and password to Authenticate & Authorise using require ldap-group directive. However it is not possible to get LDAP Authorisation working when using Kerberos to Authenticate.
Kerberos Authentication works fine (kerb_authenticate_user returns 0), however the ldap authorization part fails as shown below(User DN not found).
[debug] proxy_util.c(1967): proxy: initialized single connection worker 0 in child 14541 for (*)
[debug] src/mod_auth_kerb.c(1432): [client 10.65.192.205] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1432): [client 10.65.192.205] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(915): [client 10.65.192.205] Using HTTP/dhcp209-89.gsslab.pnq.redhat.com@GSSLAB.PNQ.REDHAT.COM as server principal for password verification
[debug] src/mod_auth_kerb.c(655): [client 10.65.192.205] Trying to get TGT for user redhat@GSSLAB.PNQ.REDHAT.COM
[debug] src/mod_auth_kerb.c(994): [client 10.65.192.205] kerb_authenticate_user_krb5pwd ret=0 user=redhat@GSSLAB.PNQ.REDHAT.COM authtype=Basic
[debug] mod_authnz_ldap.c(561): [client 10.65.192.205] ldap authorize: Creating LDAP req structure
[debug] mod_authnz_ldap.c(573): [client 10.65.192.205] auth_ldap authorise: User DN not found, User not found
[info] nss_hook_Auth
[error] [client 10.65.192.205] access to /ldap/ failed, reason: require directives present and no Authoritative handler.
Environment
- Red Hat Enterprise Linux 5
- httpd-2.2.3-31.el5_4.2
- mod_authz_ldap-0.26-9.el5
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.