You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jean-Yves Avenard <jy...@gmail.com> on 2010/09/21 09:00:02 UTC
[users@httpd] Multiple authentication backend... how?
Hi.
I am trying to get mod_auth_kerb and mod_authnz_ldap to work together
; in such a way that it first tries to authenticate the user using
Kerberos, and if mod_auth_kerb can not authenticate the user, then it
tries using mod_authnz_ldap.
That way I could provide password protected site, where if people have
setup kerberos, they get a single-sign-on experience, if not , they
get the usual prompt for a username and password.
mod_auth_kerb has an option so it's not authoritative ( KrbAuthoritative off).
When trying to login using Google Chrome (which doesn't support
Kerberos), I get prompted for a user id and password. Which then fails
with an error 401.
And tracing the mod_auth_kerb module code, as expected, it returns
DECLINED if it can't authenticate the user.
>From then, the theory would be that it is passed on to lower
authentication module.
[Tue Sep 21 16:47:01 2010] [debug] src/mod_auth_kerb.c(1667): [client
192.168.0.9] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Tue Sep 21 16:47:01 2010] [debug] src/mod_auth_kerb.c(1001): [client
192.168.0.9] Using Any/server4-2.private.domain.com@M.DOMAIN.COM as
server principal for password verification
[Tue Sep 21 16:47:01 2010] [debug] src/mod_auth_kerb.c(698): [client
192.168.0.9] Trying to get TGT for user avenardj@M.DOMAIN.COM
[Tue Sep 21 16:47:01 2010] [error] [client 192.168.0.9]
krb5_get_init_creds_password() failed: Client not found in Kerberos
database
[Tue Sep 21 16:47:01 2010] [debug] src/mod_auth_kerb.c(1080): [client
192.168.0.9] kerb_authenticate_user_krb5pwd ret=-1 user=(NULL)
authtype=(NULL)
[Tue Sep 21 16:47:01 2010] [error] [client 192.168.0.9] access to
/test/ failed, reason: verification of user id '<null>' not configured
That last line shows that the module that get used after is
mod_authn_default (from searching in the source code)
Alias /test /usr/local/www/test
<Directory /usr/local/www/test>
SSLRequireSSL
AuthLDAPURL ldaps://blah?uid
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
AuthLDAPRemoteUserAttribute uid
AuthLDAPRemoteFirstUserAttribute on
AuthzLDAPRemoteUserAttribute on
AllowOverride all
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms M.DOMAIN.COM
Krb5KeyTab /usr/local/etc/apache22/server4.keytab
KrbServiceName Any
KrbLocalUserMapping on
KrbAuthoritative off
AuthBasicProvider ldap
require ldap-user uid=jeanyves_avenard,cn=users,dc=m,dc=company,dc=com)
Order allow,deny
Allow from all
</Directory>
The module loading order in httpd.conf is:
LoadModule authnz_ldap_module libexec/apache22/mod_authnz_ldap.so
LoadModule auth_kerb_module libexec/apache22/mod_auth_kerb.so
So mod_authnz_ldap has a lower priority than mod_auth_kerb
If I am to use Kerberos it works fine, and if I change AuthType
Kerberos into AuthType Basic ; then login using the ldap user
credentials is fine...
Is there anything I am missing ?
How could I trace the order in which modules are called for authentication?
Thanks
Jean-Yves
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Multiple authentication backend... how?
Posted by Tine De Schutter <ti...@gmail.com>.
Hi Eric,
Thank you for answering!
I should tell you honestly I didn't understand what you were talking about,
I'm really really new in these things.
But I did find the solution myself.
I had to "take ownership" of the Apache files, so that I could access and
adapt the Apache files.
Something weird, but it's ok now.
Best regards,
Tine
On Tue, Sep 21, 2010 at 1:43 PM, Eric Covener <co...@gmail.com> wrote:
> > The module loading order in httpd.conf is:
> >
> > LoadModule authnz_ldap_module libexec/apache22/mod_authnz_ldap.so
> > LoadModule auth_kerb_module libexec/apache22/mod_auth_kerb.so
> >
> > So mod_authnz_ldap has a lower priority than mod_auth_kerb
>
> That's not really the operative priority or sequencing mechanism.
>
> >
> > If I am to use Kerberos it works fine, and if I change AuthType
> > Kerberos into AuthType Basic ; then login using the ldap user
> > credentials is fine...
>
> It's not just "backends" you're switching, you're also switching the
> frontend protocol and the AuthType.
>
> If you don't have AuthType basic, HTTP basic authentication doesn't
> happen, so basic auth providers like LDAP are not called.
>
> There's no support for trying multiple AuthTypes, and since both of
> yours want to be explicitly turned on with "AuthType" to do anything
> the fact that the enabled one returns DECLINED doesn't help much.
>
> It should be clear from the error log which ones are running at any
> given point, you can't trace it so well without a debugger
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Multiple authentication backend... how?
Posted by Eric Covener <co...@gmail.com>.
> The module loading order in httpd.conf is:
>
> LoadModule authnz_ldap_module libexec/apache22/mod_authnz_ldap.so
> LoadModule auth_kerb_module libexec/apache22/mod_auth_kerb.so
>
> So mod_authnz_ldap has a lower priority than mod_auth_kerb
That's not really the operative priority or sequencing mechanism.
>
> If I am to use Kerberos it works fine, and if I change AuthType
> Kerberos into AuthType Basic ; then login using the ldap user
> credentials is fine...
It's not just "backends" you're switching, you're also switching the
frontend protocol and the AuthType.
If you don't have AuthType basic, HTTP basic authentication doesn't
happen, so basic auth providers like LDAP are not called.
There's no support for trying multiple AuthTypes, and since both of
yours want to be explicitly turned on with "AuthType" to do anything
the fact that the enabled one returns DECLINED doesn't help much.
It should be clear from the error log which ones are running at any
given point, you can't trace it so well without a debugger
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org