Hello I have been attempting to use my 4.1.4 FreeIPA server to authenticate folders on a web server as a replacement for the normal htaccess feature. I do require group authentication. I have tried just about online example and have only been able to get basic ldap and basic kerbos authentication. How do I go about getting group based authentication working.
I have tried to add the following to either example below and no luck. I added the httpbind user from an ldif file from examples. I created a user group named htaccess and added the users to it. AuthLDAPBindDN uid=httpbind,cn=sysaccounts,cn=etc,dc=test,dc=com AuthLDAPBindPassword XXXXXXXXXX AuthLDAPGroupAttributeIsDN off AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?uid Require ldap-group cn=htaccess,cn=groups,cn=compat,dc=test,dc=com My error logs look like [Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1944): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1032): [client xxx.xxx.xxx.xxx] Using HTTP/[email protected] as server principal for password verification [Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(736): [client xxx.xxx.xxx.xxx] Trying to get TGT for user [email protected] [Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(646): [client xxx.xxx.xxx.xxx] Trying to verify authenticity of KDC using principal HTTP/[email protected] [Mon May 18 14:31:19 2015] [debug] src/mod_auth_kerb.c(1111): [client xxx.xxx.xxx.xxx] kerb_authenticate_user_krb5pwd ret=0 [email protected] authtype=Basic [Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(727): [client xxx.xxx.xxx.xxx] ldap authorize: Creating LDAP req structure [Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(739): [client xxx.xxx.xxx.xxx] auth_ldap authorise: User DN not found, LDAP: ldap_simple_bind_s() failed I have this working. <Location /private> SSLRequireSSL AuthName "LDAP Authentication" AuthType Basic AuthzLDAPMethod ldap AuthzLDAPServer ipa.test.com AuthzLDAPUserBase cn=users,cn=compat,dc=test,dc=com AuthzLDAPUserKey uid AuthzLDAPUserScope base require valid-user </Location> And this is working <Location /private> SSLRequireSSL AuthName "KERBEROS Authentication" AuthType Kerberos KrbServiceName HTTP KrbMethodK5Passwd On KrbSaveCredentials On KrbMethodNegotiate On KrbAuthRealms TEST.COM Krb5KeyTab /etc/httpd/conf.d/keytab AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?krbPrincipalName Require valid-user </Location> -- ================= Matthew Feinberg
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
