Apache mod_auth_kerb and LDAP user groups

Question

I've been considering deploying mod_auth_kerb on our internal web servers to enable SSO. The one obvious problem I can see is that it's an all-or-nothing approach, either all your domain users can access a site or not.

Is it possible to combine mod_auth_kerb with something like mod_authnz_ldap to check for group membership in a particular group in LDAP? I'm guessing the KrbAuthoritative option would have something to do with this?

Also, as I understand it, the module sets the username to be username@REALM after authentication, but of course in the directory the users are stored as the username only. Furthermore, some internal sites we run such as trac already have a user profile linked to each username. Is there a way to resolve this, perhaps by stripping off the realm bit after authentication somehow?

Just a question regarding implementation, are you using a Windows ADS for the kerberos realm or some other implementation? — Jeremy Bouse, Jul 06 '09 at 14:17
Okay... Haven't worked with Apple's OpenDirectory before. I was able to get Apache to authenticate using NTLM against Windows ADS using their workstation credentials and then restricting to specific groups. — Jeremy Bouse, Jul 07 '09 at 16:54
Without stripping realm from username, you can use an alternate attribute in LDAP query to search for user entity, for instance the "userPrincipalName" attribute in Ms ActiveDirectory. — Yves Martin, Oct 29 '13 at 12:43

score 13 · Accepted Answer · edited Feb 23 '19 at 09:26

13

It is now possible in mod_auth_kerb 5.4 to strip the realm from REMOTE_USER with the following config directive:

KrbLocalUserMapping On

edited Feb 23 '19 at 09:26

Matthias Schaffer

5
4

answered Nov 19 '09 at 04:37

styro

186
1
3

Wow, looks like this was released in 2008, but no mention of it (the version or the parameter) on their website. – Kamil Kisiel Nov 21 '09 at 01:41

score 7 · Answer 2 · answered Jul 15 '09 at 19:01

7

It's the whole point of the authn/authz separation in 2.2 that you can authenticate with one mechanism, and authorize with another. Authentication provides you with a setting of REMOTE_USER, which you then can use authz_ldap against. In addition, authn_ldap searches then for a user (converting the REMOTE_USER to a DN if found, using search criteria you have to specify - e.g. searching for CN). Then, when a DN has been found, you can specify requirements on the LDAP object. E.g. if all users accessing a resource must be in the same OU, you specify

require ldap-dn ou=Managers, o=The Company

answered Jul 15 '09 at 19:01

Martin v. Löwis

580
4
15

Is it possible to modify the REMOTE_USER variable before it's passed to the authorization stage? For example, to strip off the REALM portion of the Kerberos username for lookup in an LDAP database? – Kamil Kisiel Jul 16 '09 at 03:33
Not by means of configuration. However, it is relatively easy to do so in the source code of the Apache module. Look for assignments to request->user and adjust them; then rebuild the module with apxs2 -c. OTOH, it might be easier to put the Kerberos names into LDAP, under a separate attribute, and have the ldap module search the user by that attribute. – Martin v. Löwis Jul 16 '09 at 18:32

score 2 · Answer 3 · answered Nov 22 '12 at 17:09

2

Debian stable now ships with version 5.4 of mod_auth_kerb.

If you're stuck with an older version, this page explains how mod_map_user can be used in combination with mod_auth_kerb and mod_authnz_ldap.

answered Nov 22 '12 at 17:09

jcharaoui

322
1
12

Apache mod_auth_kerb and LDAP user groups

3 Answers3

Linked