Apache2 + mod_auth_kerb + active directory will not authenticate group permissions

Question

I have an apache2 server setup under ubuntu to authenticate against an Active Directory Domain Controller. It works fine with an .htaccess file in the folder I want to protect with a line like

require valid-user

My problem is I would like to authenticate with group permissions instead. So if I am authenticated on a domain (as matt for example) and I try to access a folder. I should be able to put

require group my_group@my.domain

and it should check to see if the user matt is a member of the my_group active directory group. Am I wrong in thinking this or is it not possible for mod_auth_kerb to do this?

score 1 · Answer 1 · edited Apr 13 '17 at 12:13

It is not possible for mod_auth_kerb to do this because it is impossible for Kerberos itself to do this. Kerberos is explicitly designed as a authentication, but not authorization, system. That means it does not have groups at all, it just makes sure a person is who they say they are.

Active Directory uses LDAP to store and represent group membership. You could use that to make sure the user you have authenticated with Kerberos is a member of a specific group.

Apache2 + mod_auth_kerb + active directory will not authenticate group permissions

1 Answers1