I'm using rhel5 running a LAMP stack to create an intranet with. I'm attempting to achieve SSO with users on our network using IE and Firefox. Using the following module I'm able to successfully do it:
mod_auth_kerb
I would like to take it a step further and only allow access to certain locations based on group membership. I was able to achieve this with mod_authz_ldap. Is there a way to utilize both together and if so does anyone have any examples?
Below is the SSO kerberos setup:
<Location /sso/location>
AuthType Kerberos
AuthName "Please Login"
KrbServiceName HTTP
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms DOMAIN.LOCAL
Krb5KeyTab /etc/httpd/keytab
require valid-user
</Location>
Below is the setup for allowing only members of a group access:
<Location /allowed/only/for/group>
AuthType Basic
AuthName "Please Login"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://dc.domain.local:389/OU=Domain Users,DC=domain,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=ldapbinduser,CN=Users,DC=domain,DC=local"
AuthLDAPBindPassword ldapbinduserpass
require ldap-group CN=Staff,CN=Users,DC=domain,DC=local
require ldap-group CN=Faculty,CN=Users,DC=domain,DC=local
Satisfy any
</Location>
I've read about using kerberos to authenticate then using some PHP code to do a group lookup but I'm hoping this can be achieved strictly with apache configurations and no need for altering web page code.
Any help is greatly appreciated. Thanks.
...Google just showed me the following, anyone using it: http://www.stanford.edu/services/webauth/