2

Objective: Use Apache/mod_auth_kerb using a custom krb5.conf file, not system standard /etc/krb5.conf.

Issue: I've got a strongly regimented environment where we application owners are able to configure apache instances within their assigned directories, but the baseline configuration (OS and Apache core) are maintained by a separate group. As such, any changes I make to core config such as /etc/krb5.conf will mean replicating change to thousands of servers (risk+) or scripting a custom system configuration for this server (risk+,$+).

Model for success: In order to invoke kinit to test or ktutil to generate keytab files for use by Apache in this environment, overloading the KRB5_CONFIG environmental variable (discussed in StackOverflow:pass kinit a custom krb5.conf file)

Question: Is there anyway to specify either the KRB5_CONFIG environmental variable for Apache or force mod_auth_kerb to use another configuration?

Failed Attempts: I've tried running the same env command on the apachectl restart. Apache Directive SetEnv was overlooked as it applies to script execution based on user requests, not to Apache 'backoffice' functions.

Community
  • 1
Cita Secari
  • 123
  • 4

2 Answers2

1

on Red Hat systems I think /etc/sysconfig/httpd is the better place for env vars.

handy von der leine
  • 11
  • 1
  • This is the better answer for most people. You should avoid modifying the init scripts, as shown in the other answer, as they may be replaced whenever updates are installed. (The OP's constraints were just absurd.) – Michael Hampton Sep 15 '14 at 13:10
0

On most systems there is also an /etc/init.d/httpd that does the original startup of the apache server. I think your only solution is to set an environmental variable in that script and use something like 

/sbin/service httpd restart

to restart apache with the new environmental variables. You have to modify the environment of the process that starts httpd somehow.

Fred the Magic Wonder Dog
  • 2,035
  • 10
  • 17
  • I think it's a great answer, given the ridiculous constraints. I don't think it meets the objective as it requires a modification of the base /etc, but I think you've shown yet another way for it to "not work". But given my research and your answer, I'm willing to put this to bed as "unsolvable" or "bad question". – Cita Secari Apr 04 '14 at 21:55
  • Our final solution was to get the admins to to back down and let us have our custom kerberos config. But at least we came with reason in our pockets. – Cita Secari Apr 04 '14 at 21:57