4

I am trying to setup an Apache SVN repository with Kerberos authentication and LDAP group membership authorization, so that only users that belong to a specific group can access it. Kerberos auth on its own is working OK, as LDAP on its own does. But I'd like to combine them in such way, so that I have no plain-text credentials to bind to the LDAP directory in the apache configuration. My current config (which does not work) is:

LDAPVerifyServerCert Off

<Location /svn01>
        DAV     svn
        SVNParentPath   /var/www/svn01
        AuthType Kerberos
        Authname        "Test Repo"
        KrbMethodK5Passwd       On
        KrbAuthRealms           KOUKOU.LOCAL
        KrbSaveCredentials      On
        KrbServiceName          HTTP
        Krb5KeyTab              /etc/httpd/conf.d/svnusr.http.keytab
        AuthLDAPUrl ldaps://ad01.koukou.local:636/dc=koukou,dc=local?krbPrincipalName
        Require ldap-group CN=admins,CN=Users,DC=koukou,DC=local
</Location>

I've seen this kind of configuration on the internet, but it does not work for me. What I'm getting in browser is "Unauthorized" and in apache error log I get:

[Thu Mar 02 09:55:21.817559 2017] [authnz_ldap:debug] [pid 10314] mod_authnz_ldap.c(838): [client 172.21.11.13:57737] AH01711: auth_ldap authorise: User DN not found, User not found

and

[Thu Mar 02 09:55:21.817605 2017] [authz_core:error] [pid 10314] [client XXX.XXX.XXX.XXX:57737] AH01631: user username@KOUKOU.LOCAL: authorization failure for "/svn01/repo":

Am I getting something wrong? Even if a add a segment to bind with credentials in the config, I'm still getting the above errors.

Apache version is 2.4.6, Centos is 7.2 and Windows AD is 2012R2 with 2008 functional level.

Thanks in advance, Nick

vidas
  • 61
  • 2
  • 5
  • krb5principalname is the ldap attribute that freeipa uses for their user accounts, but I think you are connecting to an Active Directory domain (because of the name of your servers: ad01.kokou.local.). In that case you should be using samaccountname instead. But that is only a piece of the puzzle and I am not really sure you can actully avoid binding to AD for authorization. – natxo asenjo Mar 10 '17 at 19:49
  • Although http://webauth.stanford.edu/manual/mod/mod_webauthldap.html appears to do that, never tried it though. – natxo asenjo Mar 10 '17 at 20:36

1 Answers1

0

For this particular issue this is working for me:

KrbLocalUserMapping On

You need at least this version for this: mod_auth_kerb-5.4
More to this:
https://bugzilla.redhat.com/show_bug.cgi?id=970678
And I'm using this as well:

Require valid-user

More to this:
https://cwiki.apache.org/confluence/display/HTTPD/PasswordBasicAuth

pucca
  • 1
  • 1