I have a working Kerberos authentication on my Apache. My AuthGroupFile directive points to a file where there is one group called rnd (rnd: user@my.domain.com).
This works just fine, but I don't know how to grant access to all the users in the domain my.domain.com. Do you know how to do this?
If this is within your own network, why not restrict/allow access via IP address or IP range? This example blocks for all—and forces a user/password combo—but allows localhost & the whole 10.x.x.x & 192.x.x.x ranges.
<Location /protected>
AuthName "My Protected Server"
AuthType Basic
require valid-user
AuthUserFile /etc/apache2/my_server_passwords
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 10.0.0.0/8
Allow from 192.0.0.0/8
Satisfy Any
</Location>
Or what about using LDAP as described in this article? Config from that article here, but adding the Allow from… from above:
<Location /protected>
# Using this to bind
AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com"
AuthLDAPBindPassword "XXX"
# search user
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
require valid-user
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 10.0.0.0/8
Allow from 192.0.0.0/8
Satisfy Any
</Location>
Could you not specify a user group rather than a user name, and then you can have a nice group of "AuthorizedWebUsers" ?
