1

(Debian Squeeze) I have Apache authenticating via Kerberos - that works fine. Now I want to restrict the site to a single group only, so I need to add LDAP authorization. I enabled authnz_ldap and edited the apache config. When I use the "Require ldap-group" directive I get the following error in the apache error log:

gss_display_name() failed: A required input parameter could not be read: An invalid name was supplied (, Unknown error)

The config in the apache.conf is:

<Directory /var/www/kerberos>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms MYDOMAIN.LOCAL
Krb5KeyTab /etc/krb5.keytab
KrbServiceName HTTP/webserver.mydomain.local@MYDOMAIN.LOCAL
AuthLDAPURL "ldap://primarydc.mydomain.local/DC=mydomain,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "LDAPlookup@mydomain.local"
AuthLDAPBindPassword topsecretpassword
Require ldap-group CN=Mygroup,OU=mydomain,DC=local
</Directory>

I've tried adding "KrbLocalUserMapping On" but the same problem remained.

If I disable the Require ldap-group line everything works fine, I can authenticate via kerberos and see my username in the logs (either as firstname.last@MYDOMAIN.LOCAL or just firstname.last with KrbLocalUserMapping On)

How can I make this work?

Edit: I just tried 

AuthLDAPURL ldap://oneaupwdc01.onevue.com.au.local/DC=onevue,DC=com,DC=au,DC=local?userPrincipalName

with KrbLocalUserMapping disabled, and had the same result.

DrStalker
  • 6,676
  • 24
  • 76
  • 106
  • did you found a solution? I have the same problem. This seems to be a bug in apache httpd 2.2. Have a look at http://sourceforge.net/mailarchive/forum.php?thread_name=4B138F1239B8ED429091551E6CF2D832440B9570%40BLUPRD0811MB425.namprd08.prod.outlook.com&forum_name=modauthkerb-help Regards Jan – roehrijn Jun 14 '13 at 11:39
  • Your "AuthName" kerberos login. Is this set on the other side? It seems like it doesn't recognizes this name. Try something else. – Arif Dolgunyurek Dec 16 '14 at 14:20

0 Answers0